Annual Conference and Global Internal Audit Leadership Summit 2017 (27 Oct)

Managing Cyber Risks. (KPMG) Cybersecurity is one of the top 5 risks as rated by CAEs. Cyberattacks are one of the top 3 man-made risks which can be addressed. In a survey, Asian CEOs aren’t as well prepared as their US counterparts when dealing with cyber risks and cybersecurity. There is a need for cybersecurity risk assessment. Sometimes, insiders can provoke a cyberattack too. Due to the widening of the digital footprint, it can lead to greater cybersecurity threats. External threats like new technology, technology change, regulatory compliance and changing market forces will continue to affect the cyber landscape. The new cybersecurity bill by CSA is slated to be released in Feb 2018. The Bill will affect CIIs from 7 different industries. The cyber risk gap needs to be plugged through the use of specialist reviews and audits. Some of the losses that an organization could face are theft of client information, IP, corporate date, DOS attacks etc. Nowadays, it is quite common for the attacker to attack your service provider (since there are less strict internal controls) and get information from them about your company. Some of the staff from your vendor might not be well screened also. Usually, there is no point trying to figure out who the cyber-attacker is as it is hard to prosecute if it’s not in Singapore jurisdiction. Some of the tactics that cyber-attackers use is ransomware, key loggers, phishing, insider data theft and man in the middle attacks. Do not give away passwords at any cost. Training/education is important, more so that IT tools at times. As auditors, we can audit the data classification in an organization. Cybersecurity is a growing factor and needs to be included as a risk indicator. There needs to be a detailed response plan after being attacked. There is also a need to link the cybersecurity threats to your business. One can read the ISO27000 series, MAS TRM Guidelines, NIST, COBIT and others.

SAP Case Study. (SAP) SAP is a German company. Maintenance costs is a big part of the implementation costs of having such an ERP software. For SAP itself, some of the risks facing the organization are acquisition risks, cloud computing etc. Within the audit team, they use the SAP Audit Management Software, which is automated from the end to end auditing process. One will be able to see clear audit plan overviews and also real time status updates of the plan. There are also resource management tools in place which will help improve the global resource transparency. In addition, there are audit executive dashboards in use. All these lead to better cost savings, user satisfaction and faster audit cycles for the organization. As a result, during quality assessments, the IA function scores better. Analytics helps in audit sampling for auditors.

Internet of Things. (Microsoft) The Internet has shifted from the Internet of content to service to people and now to ‘Things’. Internet is very commonly used nowadays as it is more efficient and has led to increased productivity. It has brought the whole world together through Skype. There is data in chips in our everyday devices and such data can be harnessed for decision making. Some of the benefits of IoT are that it leads to 1) safety, comfort and efficiency; 2) faster decision making; 3) revenue generation. Some of the risks of IoT are 1) privacy, security and legal (types of data collected can be collected and should be collected etc). The major challenges that will be faced are to obtain the business and IT buy-in and also the fact that data magnitude can be huge and complex and hard to interpret. It is important for IA to stay ahead of the changes and understand the risks emanating from IoT. We need to be trusted advisers to the business. CAEs need to determine the skillsets required, like from data scientists, private specialists etc. IA needs to recruit the right people. We need to change our approach to how to audit etc. The process flow is like this: device connection -> data sensing -> communication (access rights) -> data analytics (queries etc) -> data value -> human value

Data Analytics at MAS. (MAS) Data is the new AIR that we breathe. Insight is the new storage of value also. There are a few Vs we need to be aware of: Veracity, Value etc. We have approached the other departments, like banking, insurance and capital markets, to understand what are the pain points of these departments. We have moved from rule based (AML + STR) to machine learning. There is a strong need to enforce data quality and to move from just big data to smart data. Labels must be given for supervised machine learning in order for it to work more efficiently. However, there is also such a thing as unsupervised machine learning etc. For data, there is a need to achieve generalisability. An important question to ask is whether your model can work on future data? Or just past data? Ensure that your data can be interpreted and cleaned before it can be used. The process is as follows: 1) know the question; 2) understand the data; 3) find the right algorithm; 4) be aware of the limitations; 5) be sceptical; 6) automate; 7) experiment. It is important to share insights across the different departments. Machine learning is a programme which automatically improve its performance through learning and experience. Culture is hard to change and in fact, culture is more important than the application of an algorithm.

Cybersecurity Lessons Learned. (SWIFT Asia Pacific) SWIFT is a co-operative that is based out of Belgium. Nowadays, cyberattacks are tailored for a particular institution and that can be really scary. Hackers are now able to perform multi-stage attacks. There is a hacker collaboration space in the dark web. Cross-border banking usually requires the use of SWIFT. Hackers have different motivations for committing crimes and it is difficult to predict. Cyber must be managed from the top-down. One needs to understand that spending money doesn’t make you more secure and there is a need to evaluate cost-benefit analysis. At times, it could be the client servers which have issues. There is a need to dictate how the client runs their programmes in order to secure their environment. There needs to be a cyber-response plan in place to address attacks and to recover. In future, SWIFT would make it compulsory for banks to report on their compliance to SWIFT’s assurance framework. This will certainly help to improve transparency.

Ethics in a Digital World. (Avande) Avanade is a cloud service provider and is a partnership between Accenture and Microsoft. In this digital age, there is a debate between Personalization vs Privacy. Facebook tried to have two bots chats with one another, but they turned racist and eventually had to be put down. Although AI development is swift, it might be necessary to put the guardrails on AI and curb its growth in view of ethical considerations. What is morally acceptable in today’s society? What is lawful? Digital is becoming a way of life and ethical behaviour is vital in this day and age. Is there a need for a framework to manage ethical dilemmas? What are the possibilities of digital tech? Core ethical values are embodied by leadership and there needs to be a good tone from the top.

IA in the Age of Transformation. (Asia Pacific Black Sun, Sofitel Singapore, UOB, NTUC, EDB) What are the elephants in the room? This refers to important issues that are not being addressed by IA. IA needs to keep themselves relevant. 43% of jobs in Singapore can eventually become automated (mechanized, robotized, digitalized) etc. However, there are still many opportunities in the audit space to add value. IA needs to be high tech, high touch (build strong relationships with management), and high trust. IA’s job is to highlight exceptions to management and in order to do so, they need to be loud and courageous in the boardroom and not shirk from difficult conversations. IA needs to avoid getting on the newspaper. IA needs to familiarize themselves in the area of sustainability reporting and professional scepticism. IA needs to constantly update themselves through attending training etc. Industrial domain knowledge is also important and this is usually learnt on-the-job. People retention is important and there could be a risk of knowledge loss without people. There is a need for IA to provide inputs on controls for IT projects right at the start. If there are no audit findings, it is possible for IA to issue a clean audit report. IA should gradually take on a more advisory role for the business.



Annual Conference and Global Internal Audit Leadership Summit 2017 (26 Oct)

Opening Address by Guest of Honour (Professor Tan Cheng Han). (SGX RegCo) Singapore Exchange Limited (SGX) has moved to a disclosure based regime for markets for regulators. Shareholders are active and can ask questions of the management or try to get rid of a few directors. There is a need to listen to businesses nowadays when trying to propose new regulations. We have moved from a prescriptive to a more principle based form of regulation. Nowadays, we listen to market participants and seek their inputs. We live in an uncertain world. Lawyers should facilitate transactions and not simply keep telling people want they cannot do. They should guide people to be able make decisions within the legal framework. In this way, it is similar to what Internal Audit does. As an auditor, it is important to stand your ground and do the right thing, all the time.

Transforming Internal Audit. (AIG) It is important for IA to be clear of their role. Internal Auditors should read the ‘Common Body of Knowledge’ by IIA and also the ‘Global Trends of 2030’. Our job is to find things and to help management see things that they have not been able to see (i.e. provide assurance). Many companies have evolved over the years, like IBM, GE, Rakuten in order to stay alive. Some might have to abandon their traditional model just to keep afloat. IA can also read ‘The Fourth Industrial Revolution’. Internal auditors should all get the Certified Internal Auditor certificate and show that they belong to a professional body with high standards. We all need to comply with IIA standards. The current IA role is shifting from one of assurance to also one of advice and insight. Some of the more recent trends in internal audit include performing data analytics on the whole population. Combined assurance is also one of the up and coming trends in Internal Audit.

In Conversation with an Audit Committee Chairman. (SIA, DKSH) The IA team in PwC has grown tremendously since its inception. The role of IA is to provide an independent assurance on governance and risk management. Is the level of risk management adequate for the business? IA should also get inputs from management on their performance. One factor to judge the CAE is on whether the audit plan is incomplete and what the status of the plan vs is the execution. One option is to conduct a 360degree feedback exercise. A CAE’s pay package should be established by the remuneration committee and with inputs from the audit committee. The bonus paid is relevant to the company’s profits and individual performance. IA is a business partner and must not be seen as competing/slowing down the business. There is a need for internal auditors to retain a strong ethical and moral compass when discharging their duties. If you feel you are being mistreated by management, do highlight this fact to the Audit Committee. In cases of disagreement with management, it is important to highlight to the AC what is your position. It may be wise for audit partners to resign from the audits where there is serious disagreement with management. Before joining an organization, it is important to try and assess its culture and whether the culture is ethical etc. The CAE must be outgoing and interact seamlessly with other stakeholders. He must demonstrate leadership potential etc. One way to assess that is through conducting reference checks on his background etc. It is not necessary for internal auditors to have accounting backgrounds. However, it is difficult to be a CEO without a finance/accounting background. In general, having a diverse IA team is important. As the chairman of the AC, it is important to do preparatory work and also to meet the IA informally a few times a year. For young auditors, it is important to spend on your own career development and set 3 year career plans on what do you want to achieve etc.

Innovative and Agile Internal Auditing at Google. (Google) In Google, the employees practice moonshot or 10x thinking and they try their best to think differently. Waymo is their project on self-driving cars. They have many interesting projects like on Calico, Capital G, Deepmind, GV, Jigsaw, Nest, Sidewalk Lass, Verlly, Waywo, X etc. Google was incorporated in 1998 by Sergey and Larry. Read the Founders’ letter to get an insight of some of Google’s core values. Also, on their website, there is a hilarious list of ’10 Things we know to be true’. Their IA has also to fit in with the culture at Google and they are moving away from SOX compliance to other forms of combined assurance. An intense level of collaboration is expected at Google. They use many syncs, tools and techniques to get their work. The stakeholders are usually understanding and it is not difficult for IA to receive information. Also, the IA team uses software so that the client can see the IA reports at any time and also there is live QnA that happens every Friday. The software will enable the IA team to view the project status live and also to view audit working papers. Audit findings are tracked using software. As for hiring, Google looks for collaborative people. As for other skills, Google looks out for cognitive abilities, role knowledge, leadership and Googleyness. The top down approach doesn’t always work and Google tends to empower employees instead. Due to the speed of change, the IA team only develops a 6 mth rolling audit plan and revises it accordingly due to changing level of risks.

Auditing Big Data. (New York State Office) In the New York auditors’ office, the IA role has been expanded to include both artificial intelligence and data analytics. Big data makes decision making easier and faster. Avoid rolling out apps when not many have access to the network. The greatest opportunities will come at a risk. You have to get comfortable with being uncomfortable. There is a need for big data and technical skillsets. Big data is large, complex and covers many complex data sets. There is a trend of lower cost of data storage. Despite this, data tags will help in the data retrieval. Big data has really helped the audit team in NY to improve the audit efficiency and effectiveness. There are mainly 4 risks associated with Big Data: 1) program governance; 2) tech availability and performance; 3) security and privacy; 4) data quality, management and reporting. When using big data, it is important to ensure that there is no invasion of privacy and that it is legal to collect and use any particular form of data. It’s a massive leap to fully integrate by data and analytics. The auditors analyze social media like Craig’s list to detect unlicensed car repair workshops etc. The team also builds AI when it is not available.

Geopolitical Risks – What does it mean to Organizations and Internal Audit? (Focus Strategic Group Inc) Internal Auditors need to understand global and regional trends facing them. There are many geopolitical risks in this world and these threats can lead to supply chain disruptions. There is a massive distribution of wealth problem in this world. Some of the major events that have impacted the world are the Israel/Palestine conflict, war in Syria, Greece debt, Brexit, appointment of Trump, Spain/Catalonia separation. There is an increasing trend of protectionism for major economies and these countries are also against immigration. Trump is against the North American Treaty agreements, the TPP etc. In this world, there is only the certainty of uncertainty. People fight over many things, like land, resources, religion, perceived inequalities etc. China is also striving for more economic co-operation and wants to be the next Superpower via their one Belt one Road programme. They are also looking at how to harvest resources in the Arctic Circle. China started the Asian Infrastructure Investment Bank (AIB) and there are currently 57 countries on board with them. This bank can help provide funding for major infrastructure projects. The 3 prominent tech companies in China are Baidu, Alibaba, Tencent etc. In IA, we need to ask ourselves whether our organizations are secure. There is also a frequent need to check asset risks, read up on the latest news and check countries’ sovereign ratings. It is also possible to buy insurance to cover losses arising from geopolitical risks.

Panel Discussion: Transforming Internal Audit. (VISA, GIC, Google, SIA) There is a need for internal auditors to develop a more diverse set of skills especially in this world of digitalization. IA can be the change agent and also shape the company’s culture. For listed companies, IA can check compliance with the listing rules with methodology. The modern IA role is beyond compliance and more towards advisory. There may be a need for IA to revamp its methodology and include the need for analytics. IA needs to be proactive, adaptable and diligent. As auditors, we need good communication and networking skills and have the willingness to do things better. There is a need to use CAATs like Qlikview, SQL, Tableau to improve data analytics skills. There is a need for executive support before a data analytics programme can be rolled out successfully. One should start with the small DA projects with ROIs in order to show to management that it can work. An advanced maturity of data analytics would include things like predictive/behavior analytics and robotic process reengineering/augmented intelligence. Whereever possible, it would be good for IA to be able to automate its processes. IA can perform the prediction and look through the red flags. It is important to have good mentors who will grow and support you in your relationship. Auditors need to be curious and learn continuously. Company culture can be assessed via analytics and by the conducting of employee opinion surveys.


audit financial company tax investigation process business accounting

Annual Conference and Global Internal Audit Leadership Summit 2017 (25 Oct)

Audit Committee’s Expectations of the Chief Audit Executive in an Uncertain World. (Singapore Institute of Directors) We live in an uncertain world with plenty of technological advancements and digitalization. The world can be termed as VUCA (volatile, uncertain, complex and ambiguous). The advent of tech companies like Uber, Airbnb have caused the downfall of many traditional businesses. One thing is for sure, technology is here to stay and it will continue to disrupt economies. The Financial Reporting Surveillance Programme by ACRA revealed that there is still work to be done in terms of complying with FRS for listed companies. The surveillance programme also reaches out now not just to companies with qualified audit opinions, but those with unqualified audit opinions. ACRA has stated 8 audit quality indicators which will be important for IAs to follow. The recent enhanced auditor report format requires the key audit matters and other information to be disclosed (notes to FS). In Jan 18, companies will need to comply with the IFRS 9 on Financial Instruments and the IFRS 15 on Revenue. Also, in general, there is a move from SFRS to IFRS convergence in Singapore. In addition, for listed companies, it is mandatory for them to produce sustainability reports. This is an area where auditors need to equip themselves with more knowledge. From the above, it is imperative that one unlearns, relearns etc. In addition to provide better assurance, IA can leverage off other assurance providers and work closely with ISD or consider performing co-sourcing etc. The 5 Ls that Internal Auditors need to possess are Learn (lifelong learning on data analytics and how to audit IT etc); Leverage (other assurance providers for AML, cybersecurity etc); Lead (lead the risk management, lead the combined assurance framework/Governance Risk Control framework etc); Live (treat Internal Audit as a form of meaningful work and be passionate about their work); Love (treat IA as a vocation, continue back to the IIA).

The Cyber Resilience Challenge. (RSM, DHL, Datalogic, CSA) To tackle cyber threats, there needs to be a good governance system in place. RSA has a GRC framework and business driven frameworks to address such risks. In addition to cyber risks, an organization must never forget the operational/financial risks and how the cyber risks linked to such risks. Due to the skill of hackers, it is likely everyone will be hacked and it is just a matter of time before it happens. There is a need to weigh the pros and cons of anti-cyber threat measures. In the audit space, IT auditors have a lot of potential to upscale and re-learn. For complex environments, it must be even necessary to develop a hacker mindset in order to perform vulnerability and threat testing. It is important for an organization to have a good risk culture. It is never wise to be naïve when it comes to cybersecurity. There is a need to consider the single points of failure as this might break the organization (for example: a lack of business continuity planning or the drawing up of DRP). In such cases, it might be better to build some form of redundancy. Ask yourself: if you were the CEO, what is the thing that keeps you awake at night? Do not ignore the threat of cybersecurity breaches in your organization.

Auditing at the Speed of Risk in the Digital Age. (DHL) Due to digitalization, IA needs to keep up to date with the latest market developments and update their risk assessments more frequently. Technology is the biggest game changer. Some of the threats that will be surfaced during a threat assessment would be things like malicious software, hacking attempts, unencrypted information, hacking and data theft. It is important to test the disaster recovery plans (DRPs) and BCPs. Ask yourself what do you fear? One should believe in lifelong learning.

Do one thing every day that scares you. – Eleanor Roosevelt

Maximising Value from the Three Lines of Defence. (DSTA) The first line is the management/ internal controls. The second line is risk management/safety/compliance functions. The third line is internal audit. IA has to move away from traditional assurance to advisory and advocacy work. However, do remember that the core IA work is still in still in assurance. Although advisory work is important, CAE should not take on roles that lead to conflict of interest. CAEs must remember that they do not endorse business decisions. The 3 lines of defence can be linked to the COBIT framework (IT governance). COSO framework also supports the 3 lines of defence model in an organization. Some of the attributes required for a successful 3LoDs are strategy, shared values, system, structure, staff and skills. IA could use dashboards and DA to make their work more efficient. Some are proposing a fourth line of defence for the financial industry (external auditor + MAS banking supervision). Internal Auditors must always fall back on the IPPF. KPIs like competency of procurement staff could be introduced.

The Customer Centric Audit: Learn How to Audit What Customers (and Your CEO) Actually Care About. (Proximity Risk and Assurance) How does one go about auditing the customer experience?  It is important to do so as it concerns the revenue area of the business. One can start by mapping out the customer journey. Identify the brand touchpoints with the customer and also assess the environment. Poor customer experience could have a negative impact on the business, like the United Airlines passenger who was thrown off the plane. IA needs to audit the risk of poor delivery. IA can indeed and should audit the customer experience. Avoid excessive controls as it might stifle the customer experience and affect the quality. Customer experience is something that will keep the CEO awake. IA can sometimes even pretend to be a mystery guest/customer to examine the quality of service. As part of documentation, IA can build up a customer journey matrix and add in the relevant departments responsible for the various sub-processes. Next, IA can test the expected journey vs actual feedback received from customers. If it’s the first audit report on this area, it would be advisable not to grade it. Always remember the importance of good customer experience as it is essential for customer retention.

Panel Discussion: Leading to Make a Difference. (Deloitte, Citi, MOHH, Olam) MOHH IA managed to evolve from a mainly compliance function to now one that fully incorporates DA. It has been a painful process but it has really helped to boost efficiency. IA is now moving beyond compliance. IA needs to adopt a pragmatic approach and look through the lens of the business. It is necessary to get the right strategy. The CAE must be able to engage the senior management well and also explain to them what IA is all about and how we can meet your expectations. In order to be able to influence management’s behavior, IA must have a deep in-depth knowledge of the business. IA should be seen as being impartial, but not be neutral. As the CAE, it is crucial to state one’s opinion and not sit on the fence. Although it may not be a right opinion, an opinion must be based on facts. To be seen as successful, IA needs to be seen as a growth enabler, and not slowing down the various processes. One such way to achieve this is that IA can get involved in the process design stage and give inputs and recommendations on controls. Olam has many e-learning modules to help IA team improve their competencies. Citi has a Chief Auditor for Innovation and they use many tools for analytics in their work. It is now very common for IAs to use data analytics to audit and now 100% sampling is possible. Due to the rigour of MAS’ inspections, banks like Citi needs to step up and comply. This forces the IA team to improve their quality. Instead of simply adding controls, auditors can remove controls to get rid of legacy issues which slow down processes. In order to stay relevant, Internal Auditors need to be passionate about their work and always remember their core job is still assurance.


Astrophysics for People in a Hurry by Neil Degrasse Tyson (Part 2)

The Cosmos on the Table. How did the Earth’s crust acquire the materials? The answer is astronomical. Only 3 elements were natural in the big bang process. The table is a cultural icon for humanity. The periodic table is very interesting indeed as each element has different characteristics. Hydrogen has only one proton in its nucleus, and is the lightest and simplest element. It also forms the core of Jupiter. In the sun, hydrogen collide to form helium. It is not so combustible in nature as hydrogen. It is the second most common element in our Universe. On average, it is about 10% of all atoms. It has 92% of hydrogen’s buoyancy, but without its explosive characteristics. Lithium has 3 protons in its nucleus, and was made in the big bang. Carbon is found in all kinds of molecules and is very abundant. This is the basis of chemistry and all diversity of life. Is it possible to have life forms based on silicon? Sodium is a common glowing gas in street lamps. Aluminium occupies 10% of the Earth’s crust. Titanium is twice as strong as aluminium. It is mostly used for military aircraft etc. The number of oxygen atoms exceed that of carbon. Excess oxygen might bond with titanium to form titanium oxide etc. Iron is one of the most important elements in our universe. It has 26 protons. Gallium is a soft metal that has a low melting point. Technetium is radioactive in nature and is artificial. The book features other interesting metals, like osmium and iridium. It is very dense indeed. Most atoms actually come from Greek names, like Phosphorus, Selenium etc. Ceres and Pallas are asteroids found in the asteroid belt. Uranium is a radioactive element named after Uranus. Neptunium is named after Neptune in 1940. Pluto was eventually dismissed a planet. Plutonium is named after Pluto and was used by the US to bomb Japan in WWII.

On Being Round. Most objects are spherical in nature. It is affected by surface tension. Due to gravity pulling at every area, the Earth is largely spherical in shape as the mountains are very low compared to how big the Earth is. Olympus Mons on Mars is 65,000 feet tall and 300 miles wide at its base. The weaker the gravity on an object, the taller the mountains can form. Non-spherical shapes on Phobos and Deimos form because of the low surface gravity. Stars are near perfect gaseous spheres. However, if it is too close to a massive star, some material can be stripped away. Our Milky Way galaxy is more flat, than spherical. It used to be a spherical, but collapsed at its poles as it spun faster and faster. The Milky Way is neither collapsing nor expanding. It is a gravitationally mature system. Saturn looks like a hamburger and is flattened because of its fast rotating speed. A pulsar is like squeezing the mass of a Sun into a ball the size of Manhattan. The pulsars are the most perfect spheres due to their huge mass and small space. Different galaxy clusters have different shapes and there are no fixed shapes. The entire observable Universe seems like a massive sphere as it is receding in every direction we look. However, as the Universe is expanding faster than the speed of light, there will be some galaxies whose light will not reach us and we will know nothing about them.

Invisible Light. Not all light is visible. There are 7 different colours to the visible spectrum. Different colours have different temperatures. Herschel was the first man to discover infra-red light. UV light was also discovered soon after. Low energy and low frequency to high energy and high frequency is radio waves, microwaves, infrared, ROYGBIV, ultraviolet, X-rays, and gamma rays. There are countless applications for such different spectra of light. Eventually, we built telescopes to detect parts of the EM spectrum. The Universe is actually sending light that our eyes cannot see and we would be dumb not to see it. Even long after supernovas explode, infrared red and radio waves get emitted. There needs to be different mirrors and detectors to detect all light bands. Radio telescopes are extremely large. China has built the world’s largest radio telescope, ranging over 30 football fields large. Humans also developed interferometers. We have 66 large antennas of ALMA to detect microwaves. There are high frequency, high-energy gamma rays with wavelengths measured in picometres. They are measured using a scintillator and we can pump out electrically charged particles that collide with gamma rays and produce light. There were frequent flashes of gamma rays near the Earth which could not be explained. Radio telescopes can detect gas among stars in the galaxies. The different types of light can tell us so much about star formations etc.

Between the Planets. There are plenty of chunky rocks, pebbles, charged particles in between planets. A lot of the small meteors burn up in our Earth’s atmosphere. This helps to protect Earth from such impact. Long ago, a lot of debris hit the Earth, causing our hot and molten core. A lot of junk led to the formation of the moon. Many of the other planets like Mercury, Mars received bombardments, as per the craters in the ground. When a meteor strikes, the impact can cause rocks to emerge up as well. Some of the Moon’s rocks also hit our surface. The asteroid belt is between Mars and Jupiter. Some of them are really large and might destabilize the Earth if it hits the Earth. The Kuiper belt is located after Neptune. Halley’s comet is from this belt. There are some comets between our solar system and the nearest star. These are known as the Oort cloud. The magnetic force on Jupiter is simply tremendous. Some of the planets’ moons are really interesting to study. Io is tidally locked and interacts with other moons. It is the most volcanically active place in our solar system. Pluto and Charon have tidally locked each other. Moons are named after Greek personalities. The sun releases solar wind, which is a release of material from its surface at a rate of a million tons per second. These causes the beautiful aurora on Earth. Jupiter is our big gravitational shield from comets as it helps to defect them away. We also exploit their gravitational field when we launch probes to space.

Exoplanet Earth. There are plenty of beautiful things on Earth. You could probably observe many structures from up in space. Natural scenery and hurricanes, volcanic eruptions should be visible. Earth is just a pale blue dot from Neptune, 3 billion miles away. Earth appears blue due to two-third being covered by water. Once there is liquid water, there will be a stable pressure and temperature. Aliens can notice our weather patterns and even see our polar ice caps. The nearest star is Alpha Centauri, nearly 4 light years away and often visible at night. As Earth is not bright, it will be hard to detect via visible light. However, if you notice a star jiggle, it could mean that an object/planet has just orbited around it. The Kepler telescope is meant to detect other Earth like planets. It detects stars whose total brightness drops slightly and at regular intervals. From this, it can detect multi-planet star systems. Aliens might be able to detect the multiple radio waves that we emit. Light, throughout the Universe, behaves in the same way. Hence, it can be detected through a spectrometer. Methane is a molecule which indicates life stock. The alien’s best bet would be to detect oxygen in our atmosphere. Oxygen bonds readily with other atoms. We have discovered more than 3000 exoplanets.

Latest estimates, extrapolating from the current catalogs, suggest as many as 40 billion Earth-like planets in the Milky Way alone. Those are the planets our descendants might want to visit someday, by choice, if not by necessity. – Neil Degrasse Tyson

Reflections on the Cosmic Perspective. Learn to enjoy the pleasure of intellectual pursuits. Despite all the cosmic wonder, there are still horrible things happening on Earth. Some people are also selfish and do not help others. The world is big, but so should our hearts and minds be. Some adults feel that the world revolves around them and are very self-centered. People hold an expanded view of the cosmos. Humans experience a sense of smallness and insignificance after watching a show where they see Earth in the grand scheme of the Universe. However, I feel large and important. Human beings are not the most important thing in the Universe. Powerful forces make us susceptible. We are all part of this stream of human consciousness. The air and water you consume might have come from ages ago. We are largely made from the same atoms as when the Universe was formed. They are hydrogen, oxygen, carbon and nitrogen. We have to remain open to the concept of multiverses. The cosmos are humble, spiritual etc. They allow us to be more open to knowledge and to accept new ideas. There is no air in space, but yet we can admire its beauty from afar. Astronomy is good because it makes us more curious, and hungrier for knowledge.

Of all the sciences cultivated by mankind, Astronomy is acknowledged to be, and undoubtedly is, the most sublime, the most interesting, and the most useful. For, by knowledge derived from this science, not only the bulk of the Earth is discovered…; but our very faculties are enlarged with the grandeur of the ideas it conveys, our minds exalted above low contracted prejudices. – James Ferguson

Time to get cosmic. There are more stars in the Universe than grains of sand on any beach, more stars than seconds have passed since Earth formed, more stars than words and sounds ever uttered by all the humans who ever lived. – Neil Degrasse Tyson


The End!

Astrophysics for People in a Hurry by Neil Degrasse Tyson (Part 1)

Preface. The public has become more interested in science. In addition, science fiction films help to generate even more interest. Astrophysics has always been on people’s minds. This book summarizes the major ideas and discoveries.

‘The Universe is under no obligation to make sense to you.’ Neil Degrasse Tyson

The Greatest Story Ever Told. Almost 14 billion years ago, the Big Bang occurred and matter and energy expanded. Scientists have worked to try to combine the understanding of the general theory of relativity with quantum gravity. Max Planck is the father of quantum mechanics. Currently, we have no known laws of physics to predict the behavior of the universe over time. The Universe split into the electroweak and the strong nuclear forces. The electroweak forces split into the EM and weak nuclear forces. All this happened in less than a trillionth of a second. Photos can convert their energy into matter-antimatter particle pairs under intense energy. After the interaction of electroweak forces, the universe was a soup of quarks, leptons, antimatter siblings etc. The photon belongs to the boson family. The electron and neutrinos belong to leptons. There are 6 different types of quarks (up and down, strange and charmed, top and bottom). Quarks have fractional charges that come in thirds. Now, a millionth of a second has passed. New heavy particles called hadrons started to form. Now, protons and neutrons started to form. The LHC attempts to collide hadrons to create larger particles. Matter and anti-matter will annihilate one another, but there will one single hadron will survive. Electrons annihilate with positrons, and only 1 electron out of a billion survive. Eventually, elements like helium, deuterium and tritium are formed. Below 3000K, electrons stop combining with nuclei. For the first billion years, our universe expands and cools, while galaxies are formed. More than a hundred billion of them are formed, each containing billions of stars. Some stars explode. Our Sun is simply an undistinguished star. Wayward debris would orbit and form large bodies. These formed planets and the matter would start to cool. Earth is in a Goldilocks zone where oceans are in liquid forms. The early organisms on Earth were simple anaerobic bacteria, which excretes oxygen as its by-product. Ozone was also formed and these protected us from the Sun’s UV photons. We are thankful for the existence of carbon and the various simple/complex molecules. However, often, there are asteroids that hit Earth and cause havoc to our ecosystem. There was one which made dinosaurs extinct. Did our Universe just pop into existence from nothing? The Universe will continue to evolve.

We are stardust brought to life, then empowered by the Universe to figure itself out – and we have only just begun. – Neil Degrasse Tyson

On Earth as in the Heavens. Some of the religious people criticized Newton when he discovered gravity. The 19th century was a time of invention. The Sun contained a lot of similar elements as Earth. Helium was discovered too. Do the law of physics apply to the whole Universe? We sent out the Pioneer 10 and 11 and the Voyager 1 and 2 in the 1970s to look for outside life. All these spacecraft used gravity assists to escape the solar systems. It is not clear whether aliens would understand them. The Big G is the constant of gravitation. Our Universe is indeed very uniform. The speed of the light is one of the most famous constants. It is simply a law of physics. It is not time or location dependent. The conservations laws of mass and energy, linear and angular momentum and electric charge are all very important. Most of the gravity in the Universe is the form of dark matter, which is difficult to detect. Should Newton’s law of gravity be adjusted to account for dark matter? Einstein’s theory of relativity builds on Newton’s law of gravity as it applies to objects of extremely high mass like black holes. The Universality of physical laws make the cosmos very appealing.

Let There Be Light. The cosmos expanded rapidly after the Big Bang. Cosmic background radiation can still be detected. Photons can lose energy and form infrared photons, sliding down the spectrum. When something glows, it emits light in the full spectrum, but there will be a noticeable peak. Cosmic background radiation (CMR) was already predicted into the 1940s. In 1948, scientists predicted what the temperature of the cosmic background should be. Their answer was unerringly accurate. The first cosmic microwave background (CMB) was observed in 1964. They developed an antenna to detect microwaves. There was a constant leftover signal in their measurements. The signal came from every direction in the sky. When we out into space, we are looking back in time as light takes time to travel. Depending on the time that the photons that scattered off electrons, a different colour profile would be registered. The CMB will have spots that are slightly hotter or cooler. Analyzing the CMB will enable you to determine how quickly matter accumulated etc. Dark matter has gravity but does not interact with light. It forces the Universe to expand faster.

Between the Galaxies. There are over a hundred billion of them. How much void is there in space? Our galaxy is the Milky Way. The nearest one to us is over 180,000 light years away. The nearest one which is larger than ours is the Great Nebula in Andromeda, over 2 million light years away. Our detectors have enabled us to detect many more objects. Dwarf galaxies contain only up to a million stars, and they are hard to detect. They are also dim. Often, these dwarf galaxies may get eaten up by the main galaxy. Galaxies can collide and clusters will be formed. There is also the possibility of homeless stars, which are not in any galaxy. Supernovas have been found exploding away from their host galaxies. Supernovas are stars which have increased their luminosity over a billion fold. There are also intra-cluster gas that is so hot and can form stars. Quasars are super-luminous galaxy cores and are extremely distant. These are fascinating due to their huge mass. There are hydrogen clouds everywhere in the Universe. These light also passes through huge sources of gravity. Light that appears to us might have experienced curvature due to gravity etc. There are plenty of cosmic rays in the Universe, which are horrible, and move almost at the speed of light. There are plenty of particle collisions in intergalactic space.

Dark Matter. Gravity is difficult to understand. It has the ability to warp space-time at a distance. For example, light rays bend as they pass by a massive object. The bulk of the gravity in the Universe cannot be explained. Fritz Zwicky analysed this problem in 1937. He noticed some galaxies had a very high average velocity. However, it does not account for the speeds measured. Newton’s laws show that it is possible to achieve an orbital speed to escape the clutches of gravity. Other galaxy clusters also reveal this same problem. This supports the existence of ‘dark matter’ in the Universe. Cosmic dark matter seems to have at least 6 times the gravity of visible matter. It is not matter that happens to be under-luminous or non-luminous. It turns out that dark matter and nuclear fusion do not mix. Dark matter does not seem to do very much. Dark matter only comes into play for large bodies, like the motion of stars around the centre of the galaxy. It seems to be well spread across the Universe. The Universe is expanding, but gravity wants to make things coagulate. We do not know what dark matter is, just that we know that it is real. Skeptics tend to slam dark matter’s existence. Dark matter is real, as it has been deduced from its effects on visible matter. We are trying our best to detect the presence of dark matter. Right now, we just have to be happy with our understanding of dark matter.

Either dark matter particles must wait for us to discover and to control a new force or class of forces through which their particles interact, or else dark matter particles interact via normal forces, but with staggering weakness. – Neil Degrasse Tyson

What we know is that the matter we have come to love in the Universe – the stuff of stars, planets, and life – is only a light frosting on the cosmic cake, modest buoys afloat in a vast cosmic ocean of something that looks like nothing. – Neil Degrasse Tyson

Dark Energy. Einstein perfected the thought experiments in his head and was very successful. His theories withstood the test of time. The general theory of relativity (GR) was published in 1916. Everything in the Universe moves under the influence of gravity. In 2016, gravitational waves were discovered, as were predicted by Einstein 100 years ago. These are created from major events, like the collision of 2 black holes. They first arose almost 1.3 billion years ago, during a collision of 2 black holes. In the 16th century, it was a heliocentric model. However, in truth, the planets revolve the star in ellipses. There was a cosmological constant in his equations of gravity. In his equations, the universe neither expands nor contracts. The masses move along straight-line geodesics. The Universe is never static. The cosmological constant was a big blunder as it was proven that the Universe was still expanding. There are ways to measure the distance from a supernova, for example, from its decreasing luminosity over time. Hubble telescope shows that distant objects race away from us further than nearby ones. Dark energy was present, but scientists could not explain it. Dark energy comprises of 68% of all mass-energy, dark matter only 27% and regular matter only 5%. The predicted shape for the Universe would be a one-way saddle. There is simply not enough mass to explain the Universe’s expansion. This was when dark matter came about. Dark energy helped to raise the mass of ordinary energy and dark matter to the mass-energy density. Dark energy helped to reconcile the differences. These could be simply virtual particles in a vacuum, which can’t be measured. It turns out that there was a place for lambda in Einstein’s equations. Do we need an alternative to GR? The repulsive forces are present in the vacuum, and will grow ever more with increasing vacuum. The fabric of the Universe can carry material faster than the speed of light. In a trillion years, you might not know other galaxies existed. As a result of dark energy, future generations will not understand our Universe. What else should we be looking for?

GR regards gravity as the response of a mass to the local curvature of space and time caused by some other mass or field of energy. – Neil Degrasse Tyson

Matter tells space how to curve; space tells matter how to move. – John Archibald Wheeler

Keep a lookout for Part 2! 🙂


IIA Magazine Jun 2016 issue

A toxic culture is present when your work negatively affects your health – physically and emotionally. An example of such could be a change in management or management through fear and intimidation. The two options are to leave or to name the problem and discuss to make it better. Payroll should have continuous checks and balances. It is not good to report risks on an ad-hoc basis. Talent issues and development need to be addressed. There is a strong need to fight corruption. However, whistle-blowing hotlines might be underutilized, as employees fear retaliation after reporting. There are some companies which do not trust enterprise cloud deployments still.

The Fire Drill. Auditors can learn to deliver a focused message that results in management action. Effective planning of our work is the key. For instance, we can look at past audit findings. Next, one should compensate with competence, meaning backing up observation with data and experience. Sell with the passion of a champion. Findings should be sold to address a control weakness that is causing an unacceptable risk. One needs to communicate the big risks well. In the end, we need to deliver a focused message that can result in management action.

The Tech-Savvy Auditor. Effective use of audit technology can enable audit departments to provide valuable insights. Most IA staff are not familiar with IT or have weak IT backgrounds. This is not acceptable. Technology can lead to a more efficient audit and also might cut fraud losses. There is a need to improve the audit software. There should be a data analytics centre in-house. There is a need to review software usage.

Integrating Key Risks and Performance Indicators. IA can leverage its risk knowledge to improve operational performance and reduce risks exposures. IA can provide assurance on the achievement of objectives. IA can encourage the formalization of KPIs and KRIs. KRIs can serve as an early signal of increasing risk exposure. There needs to be a formal project charter. There needs to be a KPI framework with proper planning, reporting, monitoring etc. The key metrics need to be identified and a dashboard can help to present graphically the results. The KRI should be closely linked to the KPI.

Toxic Leaders, Toxic Culture. IA can identify unhealthy behaviors that may undermine the organization. Culture will affect an organization’s success. Therefore, identifying the toxic leader is important. Toxic leaders want power and control. These tend to be autocratic leaders. They could have a strong sense of entitlement and focus on themselves and not the organization. Exerting power through fear can undermine morale. They do not like to be challenged and seek to manipulate others. Closed-minded leaders think of ‘My way or the highway’. There is no need to confront the toxic leader. IA can refer the person to compliance or legal counsel. One can use behavioural psychology to analyse. For a more objective method, one can look at the reasons for turnover and examine turnover rates. One can also look at employee engagement survey results. One needs to use experience and facts as much as possible.

Analytics and the small audit department. No matter the size of an audit function, analytics can be implemented for big gains. How to go about using analytics? Some simple ones to consider are benchmarking, variance analysis, ROA, turnover etc. The analytics must have goals and performance measures. Selecting the right data source is the key and there is a need to verify the accuracy of the source. Brainstorming can help to identify key data. It is crucial to have a plan that will allow IA to continue to improve its analytics capability. It is important to attain small wins in analytics.

Business Risk. Keynote speakers for this year’s IIA International Conference identify emerging risks facing organizations. Cyber risks is at the top of the priority list for many. Ransomware is a big threat to hospitals nowadays. Other threats include politics, the economy and terrorism. Social media risks sometimes aren’t within an organization’s control. Auditors should use corporate culture to work in their favour. An organization must monitor the external environment closely. There should be a common understanding of what the risk appetite and risk cultures are. Audit needs to adjust fast and invest continually in education. IA now also needs to learn to be innovative.

An Anti-corruption Check-up. Capability maturity models can help organizations assess the effectiveness of the anti-corruption programs. This model was developed at Carnegie Mellon University. One can use the model to identify strengths and weaknesses. There are basically 4 levels of maturity. There are 7 components that form the basis of anti-corruption maturity model. There is a need to tally the scorecard too.

Craft Our Role. IA should create the role for themselves that is best for both the organization and their own personal development. IA needs to be ingenious, use creativity and resourcefulness when developing their role. Do not limit the scope to be too small. It is important to be familiar with the business in order to value add properly. The control environment needs to be evaluated properly. One can develop business acumen. It is crucial to ask the right questions. IA should network more with the other departments to build rapport and also to get a feel about the management style in the department. Learn to practise combined assurance. One can work with another dept for a joint review. This is the way to maximize external resources.

Fraud and related-party transactions. IA can identify red flags and reduce the risk and impact of related-party fraud. IA need to be able to recognize related-party fraud risks. Providing loans at below market rates is a red flag. Failing to disclose the related-party nature of the loan is a red flag. IA should try to identify related party transactions. Try to identify whether employees have link to companies that transact with the organization itself. It is also possible to compare cost variations among vendors to see how they differ from the average cost. The organization should not pay costs significantly above market prices.

Communicating Results. Sharing audit observations is one of the most important tasks auditors perform. Communicating properly can help enhance rapport. Make sure the observations are correct and are not challenged by management. Plan the timing of issue dissemination, which is as soon as possible. Try not to surprise management at the end of the audit. Write clearly. Exercise diplomacy.

‘One of the quickest ways to lose management’s respect is to make it clear that IA does not understand what is has been auditing. The answer is to take the time to learn the business, processes, and risk associated with the audited area.’

Care and Feeding of The Company’s Culture. How can IA help to ensure a healthy organizational culture? Auditing culture is certainly work examining. Healthy organizations should have guidance on norms and expectations and a healthy tone at the top. Transparency is important. Management should think long term and have a sound strategy. Ask yourself whether the root cause is behavioural or cultural in nature. The problem with culture is that it is not clear cut and might be hard to evaluate. Those who are toxic in nature might be held accountable and be responsible.



IIA Magazine Aug 2016 issue

Cybersecurity is an area where it is lacking among major companies. Companies need to step up to beef this area up. Productivity is a main concern for employees. Ethical pressure is greater during organizational change. The COSO framework is expected to be updated in 2017. It will be updated to include the latest risk management thinking and principles. IoT is going to have a big impact moving forward and there needs to be a comprehensive approach to go about doing it.

Analytics-Driven Audits. Before tackling data analytics, internal auditors need to understand the types of data, how it is stored, and how to apply it. Automated audits are the new trend now. It can be applied to many aspects of the audit too. Understand what are qualitative and quantitative data and their measurements. Understand how data is stored and the various formats. Any outliers should be thoroughly investigated. There are 4 types: descriptive, diagnostic, predictive and prescriptive. Learn to gain insight into the business.

The Mind of a Credit Card Hacker. Smart hackers usually lay low. They can steal credit card details and then sell them. Hackers use a vector to steal data, such as phishing. They also need to collect the data quickly and then cover their tracks. The hacker will verify that the cards are valid and start off with transactions of small amounts. If they go undetected, they may get bolder. IA can encourage the company to encrypt the credit card information and monitor access to networks. Access control needs to be checked too. IA is the third line of defence.

Make the Most of Assurance. Assurance maps can enable internal audit to team with other assurance providers to visually convey how risk is managed. IA can work with other assurance providers and depict the results in an assurance map. The map allows one to spot gaps in risk coverage or any overlaps. Assurance maps can enhance and give value to AC too. The map should not be too complex.

Tough Consequences. Adequate contract administration can save organizations a tremendous amount of grief and money. It is important to monitor vendor contracts properly. The contract administrator should be the liaison party and highlight any non-compliance. There needs to be adequate financial controls over the cash receipts and revenue cycles at the vendor’s end.

A World of Connections. The IoT requires IA to confront risks that are not so neatly contained. The impact of this is growing. IoT is about interacting with the environment for business benefit. Emerging risks from IoT must be monitored closely. There are many benefits from using IoT devices too. Management needs to be aware of the risks too. There needs to be a deployment strategy too. A policy needs to be drawn up.

Cyber Resilience. IA should work collaboratively and proactively to address breaches and build resistance to future attacks. Banks need to protect the SWIFT codes. A cyber breach might definitely occur in future. There is increasing use of software to pick up behavioural anomalies. There needs to be both a protective and detective strategy. A response plan is important. Customer data should be given top priority in a cyberattack response. IA needs to understand IT from a technical and controls perspective.

Auditing the Cloud. IA should delve into the complexities and unique risks of moving to a cloud platform. Many companies are making use of the cloud as compared to traditional data center infrastructure. Less manpower is needed to maintain a cloud as well. Servers can be added on demand too. IA needs to verify the security, reliability and availability of the data. No two clouds are the same but the common ones are infrastructure as a service, software as a service, platform as a service etc. It is good to obtain the SSAE 16 report on the vendor as evidence of its controls. It is difficult to track cloud deployment. Cloud assets can keep varying as well and it is difficult to monitor. The data is now stored on the same physical equipment as other organizations and there is a risk of leakage. A security program is still a must. Penetration testing needs to be done periodically to prevent hackers. Relying on the SSAE 16 report is useful, but not sufficient.

Trust but Verify. Control self-assessments can increase audit efficiency and spread control awareness throughout the organization. This is for process owners to self-evaluate the effectiveness of controls. This could be done via workshops/ questionaires etc. Sometimes, it is not possible to deploy a team to perform audits in every area. When CSAs are used, IA needs to explain the rationale to the management. The process owners must be identified clearly. IA needs to independently verify some of their responses. For example, only key controls or only those rated as ineffective may be selected for further testing. Continuous support is a must and training must be provided. The right level of project sponsorship is important too. It can be implemented gradually. CSA enables IA to allocate resources to focus on areas with significant control weaknesses.

Audit Never Sleeps. IA must keep innovating and improving and focus on the organizations that we love. We need to constantly do the right thing and hone our communication skills. Effective communication is the key and getting to know the auditees well is the key. Listening well is crucial too. Nowadays, IA should adopt an integrated mindset. We need to broaden our IT knowledge to meet stakeholder expectations. Applying soft skills are important too. Our work must be guarded by ethics and transparency. We need our approach our work with a strategic focus too. There is also a need to focus on our future.

Optimizing IA. IA are being continually challenged to improve their effectiveness to better meet growing expectations and workloads. IA staffing levels remain relatively constant. IA must be aware of strategy and ensure that procedures align with that strategy. IA should understand what the external risks are. As for operational efficiency, IA should offer cost effective and sustainable solutions. Quality assurance is important to ensure quality and compliance with regulations. IA should identify cost savings, understand business goals, increase collaboration, optimize technologies and strive for continuous monitoring.