Putting its immense wealth into good use, Qatar is attracting attention on the world stage for all the right reasons. Joyce Njeri recently toured the country on the invitation of the IIA-Qatar Chapter, where she got first-hand insight of how the internal audit function is furthering its cause alongside the economic growth of the tiny modern Gulf nation. Here are the excerpts of the interview carried out with some board members of the association…
Qatar is enjoying a period of unparalleled prosperity, with exceptional progress being evident in almost all sectors of the economy. As the Institute of Internal Auditors work towards increasing its influence over public policy, how is the body responding to this growth by building a risk framework in the country?
The IIA cannot directly influence corporate risk frameworks, but we are equipping our members to assist their management and boards of directors, or the owners of family enterprises to ensure risk management is considered as part of the business plan and corporate governance.
Qatar relies heavily on expatriate labour. Human capital is intense, and many companies are feeling the pressure to up their talent management game. A particularly thorny, long-term threat to many companies has become acquiring and retaining qualified staff, where key skills are in high demand and short supply. How should internal auditors react to these increased talent and labour risks?
The auditing profession has a system whereby it is mandatory for all members to continually be kept abreast of changes in the profession and requirements such as standards, practice advisories and guidelines. Our members maintain their requirement to fulfill to this continuous professional development.
For auditors, the challenge is to ensure the management has a system in place to attract and retain competent staff in the other disciplines in the company, especially the core driving forces of the business. If this does not exist, there is a severe potential for incorrect decision making that could cost the company dearly, if members of staff are not maintaining their competitiveness in terms of skills and development pari passu with the competing companies and new entrants in the market.
The IIA Qatar is also pursuing developmental opportunities in these areas in the near future. To an extent, it has already been done with regards to business continuity, IT security as well as fraud and corruption. Qatar also has a very robust Qatarization initiative and annually government and semi government companies’ performance against their plans are reviewed. The skills development of Qataris also serve as a buffer for the risk of attracting and retaining expatriates.
Failure to manage risk in organisations would be catastrophic. In your opinion, why is internal auditing in Qatar so important?
You are quite right, risk management is critical. Internal Auditing in Qatar is so important mainly because it is an independent function that can assist management and the board to give objective assurance on the adequacy and effectiveness of risk management and the related control-efficiency or suitability of alternate responses to the threats or opportunities identified through the risk management process.
The aftermath of the global financial crisis has forced internal audit departments to reflect on their role, focus, contribution and size and how these should evolve in the future. How in your opinion, should the internal audit function evolve to better serve the needs of companies in a cost-efficient way in the future?
Auditors should focus on value addition as was the theme of our recent annual conference. There are many areas where they can add value. Firstly they should deliver maximum results by optimum efforts (resource utilisation and skills combination).
Management and the board of directors of companies should not be told what they already know. The auditors should bring news (positive or negative) and indicate how to best manage that. Management and the board must always look forward to what the auditor has up his sleeve. They should never doubt any of the auditor’s communication, therefore the auditor must be sure of all the facts.
Secondly, auditors should delve to the root causes of a matter and then do proper analysis and comparisons to assure management and the board of the key areas to be addressed immediately or over time.
Thirdly, auditors should understand the driving forces within the business and focus the audit activities around the significant functions first. Also, auditors can add value by taking a more collaborative approach and work with the management to understand the business’ key drivers and objectives. Auditors recommendations should also support management is their achievement of their objectives, thereby fulfilling the role as business partner.
According to a recent report authored by Deloitte, the added value of the Internal Audit function in 2015 will more and more be determined by its ‘impact’ on the organisation. What would you say is the one skill the internal auditor should focus more on in the future? On the same note, do you think it’s necessary for internal auditors to specialise in particular fields?
Well, businesses vary in nature and size. However in my view, the one skill auditors should be focusing on is relevance. Auditors must identify what would make their activity within the company relevant. In banks and other financial companies, cyber threats pose greater risks than in other companies.
Specialisation is always required, but it does not mean that the audit function should have all the skills in house. There is a cost benefit trade-off and some skills, depending on the nature of the organisation and the level of the threats, could be co-sourced in association with other service providers.
The impact of business failures and consequent governance initiatives will forever change the corporate world. What is the IIA-Qatar’s role in ensuring an effective governance environment?
The IIA-Qatar is providing seminars and training programmes on a regular basis to ensure the governance concepts are well understood by its members so that there could be an internal transfer of knowledge and the corporate environment is also improved.
With conferences, we try and obtain excellent speakers to further stress the importance of governance as part of auditing’s annual plan, but also as a key performance area for management and the board of directors.
What should be the relationship between internal audit and other assurance providers, such as quality and external auditors?
The relationship should be one of co-operation and support. We are all service providers with a different emphasis, and we all try to improve the well-being of corporations.
The FIFA World Cup is the largest single event sports tournament in the world by a considerable margin and will put Qatar on the world map. With regards to the event, what are some of the risks ahead that internal auditors should be looking at?
The most important challenge would be meeting the deadline for infrastructure developments due to challenges in having efficient and effective processes, systems and people to manage the readiness for the event.
In addition the possibility of fraud, corruption and mismanagement by some of the contractors, also contribute a supporting cause for concern. The country is well aware of these pitfalls and all audit service providers (internal, external and quality assurers) will collectively support management and the boards to mitigate such risks.
Qatar has become the most competitive economy in the Middle East. The World Economic Forum’s Global Competitiveness Report for 2011-2012 placed the nation 14th, overtaking other countries in the region including the UAE, Bahrain and Kuwait. As you look toward the future, where do you see the biggest opportunity for internal audit to add value to organisations?
The biggest value addition in my view, is to ensure strategic planning considers the increased competitiveness and management has developed strategies for growth that will enable the company to surf the wave. Secondly the support services should be in place to sustain the utilisation of the opportunities. Audit should advise management pro-actively.
First there was the financial crisis. Then came the recession and tough regulatory reform. How is internal auditing adapting to organisations’ changing needs, particularly through the financial crisis?
The financial crisis and recession affected the backbone of the Qatar economy, the hydro carbon’s sector. GDP growth rates reflect the sharp decline in that period. The opportunity from this was the shift from West to East for additional or new revenue opportunities. For other sectors, such as the infrastructure expansions, there was little or no direct impact in this region.
For organisations with affiliates affected through these crises, auditors would have assisted and advised management to focus on the core of the business and to maintain that to survive through the crisis.
On the same issue, Qatar was not immune to the financial crisis of 2008-2010. What do you see as having been the most significant impacts the recession has had on the practice of internal auditing?
You are right, Qatar was not immune, but the effect was very minor. Major projects were simply put on hold and now all of them are back on track. For auditors, it meant a change in audit strategy, more planning and refocusing.
No one knows risk better than the internal auditor. In terms of other opportunities outside of risk, what are some of the unrealised opportunities for internal audit?
I would say, an unrealised opportunity for auditors would be not to see the trees for the wood. We sometimes focus too much on the downside of risk and lose sight of opportunities. We are too concerned about maintaining ‘independence’ and are therefore incapacitated to advise management on the opportunities on the horizon. Examples are: Identification of key resources in the company that can be utilised in a different role, where their skills are better utilised. That could even be staff within the audit department. The effectiveness of succession planning, is another example.
Recently we have seen headlines about how hackers are stealing ATM card personal information from millions and using the info to rob money, how badly constructed buildings are collapsing and putting people at risk. Against this backdrop, what is IIA-Qatar doing to focus more on the rising importance of risk management? How are audit executives responding to today’s complicated risk landscape?
Your examples are very relevant. These are matters that not only auditors should consider, but every staff member. In the corporate world today we have become conditioned to think in silo’s and we want to avoid responsibility especially if we know another function carries that task. Like the slogan ‘safety is every-one’s responsibility’, so also with security. People in general today, are so occupied with their daily commitments, that they have lost the ability to sharpen the axe. We need to encourage management to create more time for reflection.
As IIA Qatar, we have numerous seminars on relevant topics and we enable members and visitors to interact and network and this enable them to broaden their horizons. Risk management features as a main topic sometimes twice a year in our seminars or training.
Audit Executives are naturally ensuring their management have taken cognizance of these and other threats by ensuring suitable preventative measures are put in place.
In today’s ever-shifting risk landscape, the internal audit function can’t settle for simply reacting to events; it must adopt a strategic mindset that is responsive to risks and helps ready organisations for new threats and opportunities. What is the internal audit function doing to leverage its core competencies, develop trust-based relationships, and provide deeper insights to organisations?
Well, depending on the maturity of the organisation with regards to risk management the audit function has a number of actions/ commitments to take.
Trust has to be earned, and it can take a long term to build a trust based relationship. In my view, delivering consistent value for money audits and effective and pro-active advice, helps in building trust. Only once management bestows trust on the audit function, and empowers it, the real value of our collective deep knowledge base will be fruitfully used by management and the boards.
Across industries and geographies, company stakeholders have become more engaged with risk issues and have been seeking to improve their ability to define and communicate a clear, firm-wide risk appetite. How are internal audit functions aligning themselves with these rising stakeholder expectations by expanding the footprint of risks they cover across industries, geographies and company sizes?
Audit is firstly aligning their own strategy with that of the business. Through this process, audit will identify whether the risk appetite is at an appropriate level depending on the culture in the organisation as well as the nature of the business.
Auditors then keep in contact with management to understand their concerns and ensure the risk management system captures all the threats and opportunities. Communication from both sides should be healthy to maintain an adequate feedback loop and avoid miscommunication and losing sight of key stakeholder expectations. Then the assurance role of internal audit comes into play. Through adequate coverage of the exposed areas such as mentioned, Audit needs to assure management and other stakeholders with relevant data and facts.
Today’s global business community faces a more complex and uncertain risk landscape where previously unknown risks can manifest themselves with unprecedented speed. How well aligned is internal audit’s plan with the critical risks facing organisations?
Take the recent floods in Germany and other European countries. One just need to review what actions were decided on at the last similar incident to know that today people are living in the present and focusing on the day to day issues. A similar example is earth quake risks in Qatar. Here is an opportunity for the internal audit function to assist management with business continuity programme to ensure the impact of natural catastrophe is minimal, should a disaster strike and affect the business processes or assets.
With all the emphasis the IIA Qatar has given and is still giving on risk management, every audit department should be well aligned to cover all the critical risks facing their organisation. This is indeed an area where internal audit can foster a trust-based relationship with management and the board/ stakeholders, when they identify possible future events that have been unidentified as yet and pose an imminent threat.