SSA 300 – Planning an Audit of Financial Statements

Good planning can really help to focus the audit and make it more efficient and effective.

The objective of the auditor is to plan the audit so that it will be performed in an effective manner.

Engagement partner and key members of the engagement shall plan and discuss the planning with the team.

The auditor needs to perform procedures on client relationship and engagement, evaluate compliance with ethical requirements and understand the terms of the engagement.

The audit plan shall include the nature, extent, timing of planned audit procedures and also the resources required to complete the audit. The audit strategy can be modified as the audit progresses. The extent of supervision also needs to be planned.

The audit plan and strategy must be part of audit documentation (can be memorandum form, checklists etc). Significant changes to the audit plan needs to be explained. Planning needs to consider things like analytical procedures, understanding of legal framework, materiality, involvement of experts etc.

Advertisements

Singapore Standards of Auditing 200 (SSA) Summary

SSA 200 Summary

This SSA concerns the responsibilities and objectives of the external auditor when conducting an FS audit.

The purpose of an audit is to express an opinion on whether FS is presented fairly, in all material aspects, or give a true and fair view in accordance with the financial reporting framework. There is no need to provide assurance on viability of business, efficiency or effectiveness of business processes or effectiveness of internal controls.

The auditor needs to obtain reasonable assurance (high level) about whether the FS as a whole are free from material misstatement, whether due to fraud or error. Audit risk (function of risk of material misstatement and detection risk) should be reduced to an acceptably low level. This is the risk that auditor expresses an inappropriate opinion when the FS is materially misstated. Note that reasonable assurance is not absolute assurance.

The auditor needs to apply the concept of materiality (FS and assertion level for classes of transactions, account balances and disclosures). Auditor is not responsible for detection of misstatements which are not material to the FS.

The SSAs requires the auditor to identify and assess risks of material misstatement (ROMM), obtain sufficient and appropriate audit evidence and form opinion on the FS based on conclusion from audit evidence.

If reasonable assurance cannot be obtained, the auditor should disclaim an opinion or withdraw from the engagement.

The management and those charged with governance are responsible for preparing FS in accordance to financial reporting framework, appropriate internal controls over financial reporting, provide auditor with unrestricted access to information for the audit.

ROMM comprises of two components, the inherent risk component (higher for complex transactions and those requiring accounting estimates) and the control risk (cannot full eliminate ROMM due to inherent limitations such as human errors or mistakes or management override of controls) component.

As per SSA, the auditor needs to comply with relevant ethical requirements (ACRA code related to audit of FS and Integrity, Objectivity, professional competence and due care, confidentiality, professional behaviour), exercise professional scepticism (critical assessment of audit evidence, looking out for fraud risks, looking out for reliability of evidence) and professional judgment (materiality, extent of audit procedures, evaluating management judgments, drawing conclusions based on audit evidence) in planning and performing the audit.

Auditors have to comply with all SSAs that are relevant to the audit. If there is a failure to achieve an objective, there may be a need to modify the auditor’s opinion or withdraw from the engagement.

As part of preparing the FS, management may need to exercise judgment and make accounting estimates which are reasonable in the circumstances.

Management and those charged with governance have to acknowledge and understand a set of responsibilities for accepting the audit engagement.

The auditor must be independent both in mind and in appearance. This is to enhance the auditor’s ability to act with integrity and be objective and to maintain professional scepticism.

Refer to SSA 220 for quality assurance and partner review requirements.

Detection risk relates to the nature, timing and extent of the auditor’s procedures that are determined by the auditor to reduce audit risk to an acceptably low level.

Some of the inherent limitations of the audit include information that is withheld by the management and complicated fraud schemes which is difficult for auditor to detect. Auditor is also not trained to authenticate original documents. The audit must also be performed within a reasonable time and cost. However, despite these limitations, auditor should not accept less than persuasive evidence.  

IIA Magazine Feb 2016 Issue

This is the 75^th year of the anniversary of the IIA.

Capturing the Moment. Experts from around the globe provide a snapshot of the profession, discussing key issues impacting IA. In the past, IA was more focused on hindsight, it is now more about foresight too. Often, some IA staff may want to move to other departments. It is critical to find a clear path ahead for IA. Some of them might just want to stay in the profession forever. There has a clear shift from compliance to risk based audits. It is also good to volunteer for the profession. Combined assurance is also becoming more widely used. Students should try to contact the industries and ask for challenging assignments on IA. IA should set aside a portion of their paycheck every month to attend training etc. Work objectives should be clear and there must be clear communication. IA can also provide assurance on the management of strategy risks. IA can also add value to process effectiveness.

A Career on Point. There are many more women in this profession. IA has matured and many have viewed this function more positively now. To some, IA seems interesting and challenging. It is good as it helps you prepare for a leadership role.

Expanding the Foundation. Required audit competencies have changed considerably over the years, placing more and more emphasis on technology, business acumen and soft skills. IA is now a very respected profession. Effectiveness and efficiency are the hallmarks now. Information has increased over time and data analytics is being used more frequently nowadays. Soft skills and business acumen are very important too. Nowadays, it is good for IA to possess leadership capabilities and strategic thinking capabilities. There is a need for long-term adaptability, continuous learning etc.

Changing with the Profession. The IPPF has a history of adapting to meet stakeholder and member needs. They often listen to the needs of the profession. Now, the framework is more broad and flexible in its approach. The Standards are separated into attribute, performance and implementation types.

Twenty-first Century Milestones. Over the last 15 years, several watershed events helped define the practice of IA. IA is never dull. The first is flagrant financial reporting fraud, with cases like Enron etc. IA cannot ignore controls over financial reporting. The next is financial markets meltdown. The dotcom crash and the subprime crisis wreaked chaos throughout. ERM grew in stature as a result of all these meltdowns. The 3 lines of defence is all the more important in recent times. The next 2 big issues were cybersecurity and bribery and corruption.

The Perception of Value. A comparison of 2 IIA studies suggest internal audit may still have a long way to go in delivering stakeholder insight. Most IA are not meeting stakeholders’ expectations. Sometimes, there might be a lack of general management or operating insights within IA. Sometimes, IA also does not consult departments when developing audit plans.

Where We Are. Today’s IA enjoy greater stature within the organization and are working to meet ever-increasing expectations.

A Steady Progression. Audit professionals are in demand. IA needs to shape management’s expectations of them. IA should market themselves more. Cross-training and gaining exposure from other departments is the key. Auditors must be well-rounded and learn to take personal responsibility.

Conformance to the Standards. The top 10 non-conformance issues are: 1) Internal assessments; 2) reporting on the QAIP; 3) recognition of the definition of IA, code of ethics, standards in the IA charter; 4) external assessments; 5) QAIP; 6) requirements of the QAIP; 7) Engagement work program; 8) purpose, authority and responsibility; 9) co-ordination; 10) communication and approval

The ‘Anti-Fraud Moment’. Fighting fraud demands more than just awareness. There needs to be meaningful training when it comes to learning of skills. There is little training on red flag indicators. Create simple articles to share with employees. Record 5 minute training videos. Take advantage of live formal and informal skills training opportunities.

How Much Do Risks Really Change? The risk landscape shifts radically from 1 year to the next. It can changed a lot in 75 years. Global events can rock the market and commodity prices etc. Tech breakthroughs happen fast and world events disrupt things. Regulations change as well.

Internal Audit Fundamentals. The most basic skills remain largely unchanged. Critical thinking and communication are the key. Co-sourcing is an option when IA lacks certain technical skill sets.

Around the Globe. IA around the world are providing value to their organizations in a wide variety of ways and at different levels of complexity and sophistication. The role of IA may not be well-understood. Value demonstration is the key. Different auditors will be at different levels of proficiency and maturity.

Industry Roundup. The challenges IA face today are many and vary by sector. Public sector audit has moved beyond compliance or financial audits into performance auditing. There is also emphasis on effectiveness. There are sophisticated products in banking and safeguarding information is one of the key objectives. Money laundering is also a key area to watch. As for health care, there are issues like quality of service, compliance, data security are all big challenges.

A Different Perspective. IA’s business partners offer their views of the profession. Audit can identify opportunities for improvement throughout the organization. It is important to have a sharing environment. Technical skills matter a lot nowadays. IA should look at areas that management struggle with. IA should not hide or mask problems from management. Being able to understand IT etc would make IA more valuable.

Educating Auditors. Determining what IA students need to know now is a constant challenge. Being skilled in IA is a unique skill that is useful. It is possible to simulate real-world IA case studies for students. IA needs to be intellectually curious to learn more. One cannot speed up experience as time is required.

IA Future. IA allows one to understand the business. Do not miss the change to meet senior leaders.

‘I realized the role of IA aligned with many of my interests. I wanted to add value and bring a positive impact to a business while understanding how it operates, and IA presents opportunities not found in other roles within the company.’

IT Audit Trends and Foresight. Technology will continue to bring new risks for organizations. IA need to address the IOTs. We need to understand the inventory of devices and the type of data that is collected. One needs to understand the value of digital strategy.

The Changing Business World. Auditors can anticipate future developments by looking beyond their organization’s current business situation. Africa is going to grow fast in future. Businesses need to create space to think. IA needs to be able to anticipate new risks. IA can follow current affairs. Talk to customers to see how their needs are changing. IA is really looking to delight people.

Five Trends. Top global IA thinkers take a broad look at key issues that will shape the profession. The world is changing fast and risk are interdisciplinary. New risks must be understood and evaluated. IA can learn new ways of analysing and also develop strategic foresight. The compliance scope is continually expanding and making things more difficult. IA needs to link compliance activities to upstream processes and control improvements. It will be a challenge for lower the cost of compliance. Stakeholders are more demanding nowadays. IA must have knowledge of the various industries and any new business lines. Technology risk is getting more complicated. Data is becoming more prevalent and data analytics is getting more useful than ever before.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

IIA Magazine Aug 2017 issue

The Technology Issue

 A technology revolution. Tech is moving at a fast pace and some businesses may not be able to reap the benefits. IA needs to understand the evolving risk landscape related to the business. Tech will continue to disrupt the landscape and IA needs to reassess what data means to them going forward. Auditors help organizations avoid getting into trouble by identifying issues early and avoid them being surfaced by regulators or the media.

The Cyber Readiness Gap. Organizations may not be prepared for the attacks they are expecting. Ransomware is a big issue and thinks will get worse. Only half the organizations surveyed have a plan to address ransomware attacks. IA can help to scrutinize cybersecurity practices and plans. IT security governance needs to include the human factor in corporate risk analysis and assessment. IA can move from a supportive to front-seat role when building crisis-resilient culture.

More than Compliance with ‘A’. Transforming a compliance program into a value-adding activity starts with IA. Compliance with AML regulations are important. However, many managers do not see value in compliance work. IA needs to ensure compliance can provide real assurance. It is important to do the right thing and do things correctly. Ask yourself why there is a compliance requirement in the first place. IA needs to work with the first and second line of defence to ensure all risks are being addressed. IA should also question the need for, existence of, and adequacy of compliance with A. Sometimes, the original risks may not be present and hence the compliance requirement should not be relevant. One needs to examine the adequacy and effectiveness of the mitigating control. The audit needs to maximize the use of resources and analytics. One can use trend analysis to understand whether risk is increasing or decreasing. Effectiveness of controls can be tested with analytics.

‘But it should not be compliance simply for compliance sake. Internal audit should consider the overarching business objective and the controls that help mitigate risk to the achievement of the objective – even when examining compliance-related controls.’

Stop Clicking, Start Coding. SQL queries can enable internal auditors to uncover greater insights from organizational data. Data needs to be analysed etc. Some auditors are required to learn SQL. It is a language for managing data held in databases. To be good, logical thinking and reasoning are important and necessary for coding. SQL can be tailored for auditing needs and for ad-hoc queries. SQL and other audit software can form a powerful set of analytical tools.

Internal Audit needs risk management too. Managing its own risks can improve the audit function’s performance and demonstrate that it practices what it preaches. One key risk of IA is whether the department is strategically positioned within the organization its objectives. Other risks are whether the department has enough staff, on assurance etc. Reputation risks are important too, and so is compliance risks. Operational risks are like the resourcing problems, annual audit plan etc. If audits are behind schedule by about a month, it needs to be highlighted as a red flag. IA can also do a risk control self-assessment to evaluate internal controls in place.

The Cashier Cash Thief. Mounting family pressures and opportunity cause a trusted warranty clerk to pocket payments from customers. IA must emphasize the importance of SOD and monitor any exceptions. Trend analysis would allow organization to detect fraud more timely. Routine audits are vital for all cash processes. Mandatory vacations and rotation of duties should have prevented fraud from happening.

In Safe Hands. Organizations must grapple with a host of issues when determining how to best protect their data and manage the way it’s used. In Europe, there is a General Data Protection Regulation that goes into effect in spring 2018. It is a stricter regulation than ever before. Firms need to obtain consent for data collected from individuals. IA needs to go back to the drawing board to strike a balance. Respecting someone’s privacy rights is actually a soft skill and needs a soft approach. Privacy controls need to be engineered into business processes. Businesses must be clear about what they need the data for. Many companies do not know where their data comes from and how it is used. IA can be a role model in innovation etc.

Great tech expectations. As technology becomes more integrated with business processes, auditors must raise their IT skills. New auditors usually have better skills than older ones. People with expertise in IT will be in demand. Those with experience in DA will have an advantage over those who don’t. Experience with audit-specific software is also a plus. Auditors need to have an understanding of the infrastructure and applications being used. New authors are not usually well versed in soft skills. IA needs to have a good understanding of flow, controls and governance. Determine the specialty skills needed. Maintaining the right mix of generalists and specialists is a key IT challenge. IA needs to have a training plan for the IT risk and controls. Training hours need to be tracked and there needs to be information sharing at every meeting.

Building a data analytics program. Six strategies can facilitate progress when starting or furthering an analytics program. Many functions suffer from pitfalls/ setbacks. The six strategies are (1) create awareness rather than a silo; (2) understand the data before investing in a tool; (3) plan sufficiently; (4) think big picture; (5) Partner with IT; (6) Take advantage of visualization tools for inspired reporting.

#PurposeServiceImpact. The IIA’s 2017-2018 Global Chairman of the Board J Michael Peppers encourages IA to unify around the three concepts in his powerful hashtag. Purpose, Service and Impact are important words for our profession. It is about the why we do things. We should help enhance shareholder value through our work. Service is basically walking the talk. It is important to establish credibility with clients. We are both change agents and educators and need to do the right thing. Volunteering is important and internal auditors should strive to give back to the society. Always try to make a positive difference. We need to understand the purpose of the organization.

‘The best and most successful internal auditors I know understand that internal auditing is more than just a job: it is a sincere effort to improve the lot of others, whether organizations or individuals.’

The Root of the Matter. Performing root-cause analysis requires that auditors recognize common myths associated with the process. Addressing root cause will prevent the issue from recurring. Complex problems may be due a variety of factors. There may not be a single root cause at times. Use the 5 Why techniques. Sometimes, two root causes can lead to one problem. Some brainstorming is required to address all the root causes. One can use the fishbone diagram and identify problems in different categories like: Man, Machine, Measurements, Method, Materials, and Mother Nature. One can also use scatter diagrams to pair cause and effect and look for relationships. Good recommendations in the audit report should address the root causes of a problem. However, IA should understand that RCA requires time and resources and the organization must weigh the pros and cons of doing it.

Seven Steps to Transformation. IA can assist management throughout the many stages of business change. The first is pre-implementation review. It helps management to identify problems at the planning stage. Ask yourself what is the best ERP project model for ERP packages? The other steps are process/controls analysis, In-flight reviews, IT and User Acceptance Testing and Output/Results testing. The last 2 steps are post-implementation reviews and comparison to project management reviews.

It’s only one word. Excessive audit report wordsmithing is often a disservice to the client – and the audit function. Let those who did the work have a say in the changes. Never make a change unless you can explain why that change is necessary. Otherwise, you are just changing for personal preference. Always explain the reasons for any change to the person who wrote the original drafts. Do not be too anal about phrasing as this will result in rewriting and delays and frustrations.

‘Far too often, the lead, manager, chief audit executive doesn’t like what is written and starts editing the audit report. The process often results in a report the auditor no longer recognizes and, in the worst situations, it says something the auditor never intended it to say.’

The Data Analytics Strategy. Adding analytics to the audit methodology requires careful change management. Funding and resources needs to be provided. Integrate data analytics requirements into the audit methodology. Look for quick wins if possible. Use a champion to lead the strategy. CAE must emphasize that analytics is good as it improves audit efficiency. Analytics can add value not just to fieldwork, but also risk assessment and planning. Data is also evidence and that’s what sells well.

From ratings to Recommendations. Behavioural psychology suggests internal auditors’ approach could benefit from more carrot and less stick. Audit gradings are hated by auditees as it sends a signal that they did something wrong and that things are really bad. The SDT (self-determination theory) shows that human motivation is optimized when the following 3 are present: developing one’s skills (competency); exercising free will (autonomy); feeling connected with others (relatedness). Give your auditee the chance by sharing about common goals and building good relationships with them.

A Man and His Watch (Iconic Watches & Stories From the Men Who Wore Them) by Matt Hranek (Part 2)

Eng Tay. He is an artist. His favorite watch is the Panerai Reference 3646. I always liked vintage items, like cars and watches. In Asia, I loved to window shop for watches. I bought my first Pam from a friend (it originally belonged to a Navy officer). The story of how I got the PAM21 was more interesting. I actually flew down to Singapore and paid crazy money for it. That is just me, I am very passionate about Panerai.

George Bamford. He is the founder of the Bamford Watch Department. His favorite watch is the ‘Popeye’ Yacht Master. I started the watch customization business. I loved cartoon characters like Popeye since young. Because of that, I wanted to put Popeye on a watch. The sales of the watch were a massive success. It’s like paying homage to these character characters, but also adding a twist to it.

Everything you buy has a soul to it. You remember the details: exactly when you bought it, how much you paid for it. You want to think of that item as exclusively yours – unique to you. – George Bamford

Mark Cho. He is the co-founder of the Armoury and Co-owner of Drake’s. His watch is the Grand Seiko 61GS Very Fine Adjusted. When I first saw a Seiko that costs 8k, I was shocked. I decided to research extensively on the Seiko and really how significant the watch was. I loved its history. I even visited the Seiko museum in northeast Tokyo. To my surprise, the watch I purchased was also being displayed in the museum. The quality of finishing can rival their Swiss counterparts. Seiko is known for their big flanked lugs, lots of planes and is very angular. One day, Seiko will really live up to their reputation.

I love the Japanese attitude, the dedication to trying to be the absolute best you can be, to really push the envelope even given your own constraints. – Mark Cho

The Grand Seiko is a subtle watch, not really recognizable for what it is, but I like that. It’s a lucky watch for me. – Mark Cho

Holger Thoss. He is a photographer. His watch is the Breitling Chrono-Matic GMT. My dad gave it to me. I loved it very much. All along, I believed in the Buddhist tradition and belief in the temporal nature of things.

It’s also important to cherish the things you have and – this might seem weird to say – to have a relationship with them. You have to honor each object and, at the same time, be ready to let it go. – Holger Thoss

Eric Ku. He is a vintage watch dealer. His watch is the Jaeger-LeCoultre Deep Sea Alarm. He had an obsession with mechanical objects. When I was younger, we often looked forward to get the full-color catalog in the mail. I kept following this JLC watch, but the price increased over time, and I regretted not getting it. I eventually bought it for $35,000, which I over-paid. However, to me, it was okay. This was really a unique watch because of its rich history. I paid a huge premium for it.

Watches are very personal things – expressions of who you are. And what you’re willing to pay all comes down to perception of value. – Eric Ku

James H. Ragan. He is a former aerospace engineer at NASA. His favorite watches are the Omega Speedmaster Moonwatches. Watches were the backup instrument to test flight time. 4 companies bid. However, the Omega was the most durable. Wally Schirra and Gordo Cooper had worn Omega Chronographs for their mercury days. NASA kept using Speedmasters thereafter. The speedmaster professional came in useful during the Apollo 13 mission. These Omegas really meant a lot to me. The Omega Speedmaster Alaska Project aimed at triple protection. However, it never flew into space

Omega Archives. I got the chance to visit the Omega archives. I photographed the second-generation Omega Speedmaster ref CK2998. It was Wally Schirra’s watch. I also got to see John F. Kennedy’s watch, which he worn when he was sworn in as the 35^th president of the United States.

Alessandro Squarzi. He is a fashion entrepreneur. His favorite watch is the 1968 Rolex Submariner Reference 5508. My dad gave me the watch when I was 18. To me, it looked very modern. It’s a priceless piece.

Gabriel Vachette. He is the founder of Les Rhabilleurs. His watch is the Universal Geneve Compax. The watch was handed down from my grandpa to my dad and now to me. My dad was a watch collector too. The chronograph movement was amazing. I fell in love in watches because of my dad. Later on in my life, I created a watch blog, which was lifestyle focused.

Kenta Watanabe. He is the co-founder of Buaisou Indigo Studio. His watch is the Indigo-Dyed Casio G-shock. I kept soaking the watch in Indigo dye. It turned out to be amazing.

Hamilton Powell. He is the founder and CEO of Crown and Caliber. His watch is the Abercrombie & Fitch Seafarer. It has a running second hand. It was made by Heuer, for A&F. Back then, A&F was a cool adventure outfitter. It was both for adventurers and for guys who likes beautiful things.

I also like that it’s a manual-winding watch. I believe we’re alive for a brief period of time; whether it’s fifty years or a hundred, in the scheme of things, that’s a short blip. And it’s up to us to use that time intentionally. So taking a moment to wind my watch means giving myself 20 seconds of the day to create a sense of purpose as to how I’m going to use my time- to ask myself, Am I going to live today with intention? – Hamilton Powell

Josh Condon. He is a writer, editor and author. His watch is the Movado Moon Phase. The idea of heirlooms are a big deal. I have been handed down things from my grandpa etc. My dad loved to give me things too. My dad bought a Movado moon phase and I started writing about it. On my 36^th birthday, my dad bought it for me. He also gave my brothers the same watch. I haven’t taken the watch off since. Every time I wear it, it reminds me of my family.

Geoffrey Hess. He is the CEO of Analog/Shift. His watch is the Rolex Eagle Beak Tropical Submariner, Ref 5512. It’s the story behind the watches that is important. I met my wife because of this hobby. I love vintage Rolexes. Often, I go for collector events overseas. We are almost like brothers. People like vintage because of the tropical dial, serial number matches the box, lume on dial match the hands etc, crown guards look like an eagle etc.

But to some degree, the world of vintage Rolex is a science; we collector always have a loupe, and we’re examining the colors, the serifs on the fonts, the way the Rolex coronet is printed. It’s a grown-man science. – Geoffrey Hess

Michael Friedman. He is a historian at Audemars Piquet. His watch is the 1938 AP. This watch would be included in an auction. My dad was impressed by the history behind it. I studied time through the different time periods and realized how interesting it was. My dad used to encourage me to explore the world. It was a moment which I shared with my dad forever.

Tom Sachs. He is a sculptor. His watch is the ‘New Bedford’, customized Casio G-shock DW-5600. I hot-glued a metal cage around a digital watch in the past. The Japanese created the Casio with the concept of status and of a low price. I have worn the same G-shock for the past 20 years. I engrave every Gshock I buy.

I like the idea of something that costs $40 that you own, versus something that costs $4,000 that owns you. – Tom Sachs

People wear watches for their associated value. You wear an Omega Speedmaster and you’re Neil Armstrong. Or you wear whatever watch James Bond wears, or Sir Edmund Hillary wore, and you become that person – even if you work in an office, at least your watch is the same as that hero’s. – Tom Sachs

Bre Pettis. He is the founder of Bre & Co. His watch is the Bulova Accutron Spaceview and Origami watch. I am impressed by the Stonehenge because of its accurate astronomical alignments. Watches represent a worldwide contract and are incredibly interesting. My dad gave me this watch. It’s a transition between a mechanical and quartz movement. The tuning fork was like the gear-train of the watch. Watches actually make great gifts to others and encourages friendship building. I created the origami watch.

Stephen Lewis. He is a photographer. His watch is the paper cutout of a HP calculator watch. I used to like cutting watches out from famous watch magazines. I was impressed by James Bond when he checked the time on his Pulsar digital watch. Nowadays, I wear a Rolex submariner, which was a present from my wife. I have been able to dig myself out of a hole with little imagination.

David Coggins. He is a writer. His watch is the JLC Reverso. Reverso was a gift from my parents. In the past, polo players could flip the dial as it was necessary to protect the watch crystal. The way the watch flips is also very purposeful. I also like Art Deco numerals.

I want a watch that’s well-made and designed with purpose – just like a suit, for that matter. And I like to wear a watch every day. – David Coggins

I think you can tell a lot about a man from his watch, and I prefer one that errs on the side of discretion. – David Coggins

Annual Conference and Global Internal Audit Leadership Summit 2017 (27 Oct)

Managing Cyber Risks. (KPMG) Cybersecurity is one of the top 5 risks as rated by CAEs. Cyberattacks are one of the top 3 man-made risks which can be addressed. In a survey, Asian CEOs aren’t as well prepared as their US counterparts when dealing with cyber risks and cybersecurity. There is a need for cybersecurity risk assessment. Sometimes, insiders can provoke a cyberattack too. Due to the widening of the digital footprint, it can lead to greater cybersecurity threats. External threats like new technology, technology change, regulatory compliance and changing market forces will continue to affect the cyber landscape. The new cybersecurity bill by CSA is slated to be released in Feb 2018. The Bill will affect CIIs from 7 different industries. The cyber risk gap needs to be plugged through the use of specialist reviews and audits. Some of the losses that an organization could face are theft of client information, IP, corporate date, DOS attacks etc. Nowadays, it is quite common for the attacker to attack your service provider (since there are less strict internal controls) and get information from them about your company. Some of the staff from your vendor might not be well screened also. Usually, there is no point trying to figure out who the cyber-attacker is as it is hard to prosecute if it’s not in Singapore jurisdiction. Some of the tactics that cyber-attackers use is ransomware, key loggers, phishing, insider data theft and man in the middle attacks. Do not give away passwords at any cost. Training/education is important, more so that IT tools at times. As auditors, we can audit the data classification in an organization. Cybersecurity is a growing factor and needs to be included as a risk indicator. There needs to be a detailed response plan after being attacked. There is also a need to link the cybersecurity threats to your business. One can read the ISO27000 series, MAS TRM Guidelines, NIST, COBIT and others.

SAP Case Study. (SAP) SAP is a German company. Maintenance costs is a big part of the implementation costs of having such an ERP software. For SAP itself, some of the risks facing the organization are acquisition risks, cloud computing etc. Within the audit team, they use the SAP Audit Management Software, which is automated from the end to end auditing process. One will be able to see clear audit plan overviews and also real time status updates of the plan. There are also resource management tools in place which will help improve the global resource transparency. In addition, there are audit executive dashboards in use. All these lead to better cost savings, user satisfaction and faster audit cycles for the organization. As a result, during quality assessments, the IA function scores better. Analytics helps in audit sampling for auditors.

Internet of Things. (Microsoft) The Internet has shifted from the Internet of content to service to people and now to ‘Things’. Internet is very commonly used nowadays as it is more efficient and has led to increased productivity. It has brought the whole world together through Skype. There is data in chips in our everyday devices and such data can be harnessed for decision making. Some of the benefits of IoT are that it leads to 1) safety, comfort and efficiency; 2) faster decision making; 3) revenue generation. Some of the risks of IoT are 1) privacy, security and legal (types of data collected can be collected and should be collected etc). The major challenges that will be faced are to obtain the business and IT buy-in and also the fact that data magnitude can be huge and complex and hard to interpret. It is important for IA to stay ahead of the changes and understand the risks emanating from IoT. We need to be trusted advisers to the business. CAEs need to determine the skillsets required, like from data scientists, private specialists etc. IA needs to recruit the right people. We need to change our approach to how to audit etc. The process flow is like this: device connection -> data sensing -> communication (access rights) -> data analytics (queries etc) -> data value -> human value

Data Analytics at MAS. (MAS) Data is the new AIR that we breathe. Insight is the new storage of value also. There are a few Vs we need to be aware of: Veracity, Value etc. We have approached the other departments, like banking, insurance and capital markets, to understand what are the pain points of these departments. We have moved from rule based (AML + STR) to machine learning. There is a strong need to enforce data quality and to move from just big data to smart data. Labels must be given for supervised machine learning in order for it to work more efficiently. However, there is also such a thing as unsupervised machine learning etc. For data, there is a need to achieve generalisability. An important question to ask is whether your model can work on future data? Or just past data? Ensure that your data can be interpreted and cleaned before it can be used. The process is as follows: 1) know the question; 2) understand the data; 3) find the right algorithm; 4) be aware of the limitations; 5) be sceptical; 6) automate; 7) experiment. It is important to share insights across the different departments. Machine learning is a programme which automatically improve its performance through learning and experience. Culture is hard to change and in fact, culture is more important than the application of an algorithm.

Cybersecurity Lessons Learned. (SWIFT Asia Pacific) SWIFT is a co-operative that is based out of Belgium. Nowadays, cyberattacks are tailored for a particular institution and that can be really scary. Hackers are now able to perform multi-stage attacks. There is a hacker collaboration space in the dark web. Cross-border banking usually requires the use of SWIFT. Hackers have different motivations for committing crimes and it is difficult to predict. Cyber must be managed from the top-down. One needs to understand that spending money doesn’t make you more secure and there is a need to evaluate cost-benefit analysis. At times, it could be the client servers which have issues. There is a need to dictate how the client runs their programmes in order to secure their environment. There needs to be a cyber-response plan in place to address attacks and to recover. In future, SWIFT would make it compulsory for banks to report on their compliance to SWIFT’s assurance framework. This will certainly help to improve transparency.

Ethics in a Digital World. (Avande) Avanade is a cloud service provider and is a partnership between Accenture and Microsoft. In this digital age, there is a debate between Personalization vs Privacy. Facebook tried to have two bots chats with one another, but they turned racist and eventually had to be put down. Although AI development is swift, it might be necessary to put the guardrails on AI and curb its growth in view of ethical considerations. What is morally acceptable in today’s society? What is lawful? Digital is becoming a way of life and ethical behaviour is vital in this day and age. Is there a need for a framework to manage ethical dilemmas? What are the possibilities of digital tech? Core ethical values are embodied by leadership and there needs to be a good tone from the top.

IA in the Age of Transformation. (Asia Pacific Black Sun, Sofitel Singapore, UOB, NTUC, EDB) What are the elephants in the room? This refers to important issues that are not being addressed by IA. IA needs to keep themselves relevant. 43% of jobs in Singapore can eventually become automated (mechanized, robotized, digitalized) etc. However, there are still many opportunities in the audit space to add value. IA needs to be high tech, high touch (build strong relationships with management), and high trust. IA’s job is to highlight exceptions to management and in order to do so, they need to be loud and courageous in the boardroom and not shirk from difficult conversations. IA needs to avoid getting on the newspaper. IA needs to familiarize themselves in the area of sustainability reporting and professional scepticism. IA needs to constantly update themselves through attending training etc. Industrial domain knowledge is also important and this is usually learnt on-the-job. People retention is important and there could be a risk of knowledge loss without people. There is a need for IA to provide inputs on controls for IT projects right at the start. If there are no audit findings, it is possible for IA to issue a clean audit report. IA should gradually take on a more advisory role for the business.

Annual Conference and Global Internal Audit Leadership Summit 2017 (25 Oct)

Audit Committee’s Expectations of the Chief Audit Executive in an Uncertain World. (Singapore Institute of Directors) We live in an uncertain world with plenty of technological advancements and digitalization. The world can be termed as VUCA (volatile, uncertain, complex and ambiguous). The advent of tech companies like Uber, Airbnb have caused the downfall of many traditional businesses. One thing is for sure, technology is here to stay and it will continue to disrupt economies. The Financial Reporting Surveillance Programme by ACRA revealed that there is still work to be done in terms of complying with FRS for listed companies. The surveillance programme also reaches out now not just to companies with qualified audit opinions, but those with unqualified audit opinions. ACRA has stated 8 audit quality indicators which will be important for IAs to follow. The recent enhanced auditor report format requires the key audit matters and other information to be disclosed (notes to FS). In Jan 18, companies will need to comply with the IFRS 9 on Financial Instruments and the IFRS 15 on Revenue. Also, in general, there is a move from SFRS to IFRS convergence in Singapore. In addition, for listed companies, it is mandatory for them to produce sustainability reports. This is an area where auditors need to equip themselves with more knowledge. From the above, it is imperative that one unlearns, relearns etc. In addition to provide better assurance, IA can leverage off other assurance providers and work closely with ISD or consider performing co-sourcing etc. The 5 Ls that Internal Auditors need to possess are Learn (lifelong learning on data analytics and how to audit IT etc); Leverage (other assurance providers for AML, cybersecurity etc); Lead (lead the risk management, lead the combined assurance framework/Governance Risk Control framework etc); Live (treat Internal Audit as a form of meaningful work and be passionate about their work); Love (treat IA as a vocation, continue back to the IIA).

The Cyber Resilience Challenge. (RSM, DHL, Datalogic, CSA) To tackle cyber threats, there needs to be a good governance system in place. RSA has a GRC framework and business driven frameworks to address such risks. In addition to cyber risks, an organization must never forget the operational/financial risks and how the cyber risks linked to such risks. Due to the skill of hackers, it is likely everyone will be hacked and it is just a matter of time before it happens. There is a need to weigh the pros and cons of anti-cyber threat measures. In the audit space, IT auditors have a lot of potential to upscale and re-learn. For complex environments, it must be even necessary to develop a hacker mindset in order to perform vulnerability and threat testing. It is important for an organization to have a good risk culture. It is never wise to be naïve when it comes to cybersecurity. There is a need to consider the single points of failure as this might break the organization (for example: a lack of business continuity planning or the drawing up of DRP). In such cases, it might be better to build some form of redundancy. Ask yourself: if you were the CEO, what is the thing that keeps you awake at night? Do not ignore the threat of cybersecurity breaches in your organization.

Auditing at the Speed of Risk in the Digital Age. (DHL) Due to digitalization, IA needs to keep up to date with the latest market developments and update their risk assessments more frequently. Technology is the biggest game changer. Some of the threats that will be surfaced during a threat assessment would be things like malicious software, hacking attempts, unencrypted information, hacking and data theft. It is important to test the disaster recovery plans (DRPs) and BCPs. Ask yourself what do you fear? One should believe in lifelong learning.

Do one thing every day that scares you. – Eleanor Roosevelt

Maximising Value from the Three Lines of Defence. (DSTA) The first line is the management/ internal controls. The second line is risk management/safety/compliance functions. The third line is internal audit. IA has to move away from traditional assurance to advisory and advocacy work. However, do remember that the core IA work is still in still in assurance. Although advisory work is important, CAE should not take on roles that lead to conflict of interest. CAEs must remember that they do not endorse business decisions. The 3 lines of defence can be linked to the COBIT framework (IT governance). COSO framework also supports the 3 lines of defence model in an organization. Some of the attributes required for a successful 3LoDs are strategy, shared values, system, structure, staff and skills. IA could use dashboards and DA to make their work more efficient. Some are proposing a fourth line of defence for the financial industry (external auditor + MAS banking supervision). Internal Auditors must always fall back on the IPPF. KPIs like competency of procurement staff could be introduced.

The Customer Centric Audit: Learn How to Audit What Customers (and Your CEO) Actually Care About. (Proximity Risk and Assurance) How does one go about auditing the customer experience?  It is important to do so as it concerns the revenue area of the business. One can start by mapping out the customer journey. Identify the brand touchpoints with the customer and also assess the environment. Poor customer experience could have a negative impact on the business, like the United Airlines passenger who was thrown off the plane. IA needs to audit the risk of poor delivery. IA can indeed and should audit the customer experience. Avoid excessive controls as it might stifle the customer experience and affect the quality. Customer experience is something that will keep the CEO awake. IA can sometimes even pretend to be a mystery guest/customer to examine the quality of service. As part of documentation, IA can build up a customer journey matrix and add in the relevant departments responsible for the various sub-processes. Next, IA can test the expected journey vs actual feedback received from customers. If it’s the first audit report on this area, it would be advisable not to grade it. Always remember the importance of good customer experience as it is essential for customer retention.

Panel Discussion: Leading to Make a Difference. (Deloitte, Citi, MOHH, Olam) MOHH IA managed to evolve from a mainly compliance function to now one that fully incorporates DA. It has been a painful process but it has really helped to boost efficiency. IA is now moving beyond compliance. IA needs to adopt a pragmatic approach and look through the lens of the business. It is necessary to get the right strategy. The CAE must be able to engage the senior management well and also explain to them what IA is all about and how we can meet your expectations. In order to be able to influence management’s behavior, IA must have a deep in-depth knowledge of the business. IA should be seen as being impartial, but not be neutral. As the CAE, it is crucial to state one’s opinion and not sit on the fence. Although it may not be a right opinion, an opinion must be based on facts. To be seen as successful, IA needs to be seen as a growth enabler, and not slowing down the various processes. One such way to achieve this is that IA can get involved in the process design stage and give inputs and recommendations on controls. Olam has many e-learning modules to help IA team improve their competencies. Citi has a Chief Auditor for Innovation and they use many tools for analytics in their work. It is now very common for IAs to use data analytics to audit and now 100% sampling is possible. Due to the rigour of MAS’ inspections, banks like Citi needs to step up and comply. This forces the IA team to improve their quality. Instead of simply adding controls, auditors can remove controls to get rid of legacy issues which slow down processes. In order to stay relevant, Internal Auditors need to be passionate about their work and always remember their core job is still assurance.