Recently the UAE Internal Audit Association, the local body affiliated to the Global Institute of Internal Auditors, announced the appointment of Kevin Rafiq as a new Chief Executive Officer. Kevin is responsible for providing direction and supervision to the committees of the association, as well as helping in the development of the association’s strategies and policies. In an exclusive interview with Joyce Njeri, the CEO outlines his plans to steer the association to the next growth phase…
Q. You were recently appointed CEO of UAE’s Internal Audit Association. As the body works towards increasing its influence over public policy, what value do you as a person bring to the Institute?
A. The value that I bring into the local organisation is that of an international perspective, coming from the global body of the Institute of Internal Auditors, where my previous charge was to oversee the expansion of the Global Institute in different countries.
I also bring a global vision that will help the board of the UAE’s IAA increase its visibility – which we have already started seeing – as we are getting credit from the Global body about our accomplishments in the country. Similarly, my vision for IAA is alligned well with the value and objectives that the board has set for itself. I believe it [board] takes a lot of credit for bringing a small organisation that just two years ago, had less than 400 members, to over 1,700 members currently registered.
Failure to manage risk in organisations would be catastrophic.
In your opinion, why is internal auditing in the UAE so important?
Whether in the UAE or anywhere else, the work of internal auditors cannot be gainsaid. Let me just give you an example. Our organisation here in the UAE started off small, and has grown in leaps and bounds for the last two years. As I mentioned earlier we had less than 400 members about two years ago and have grown to almost about 1,700 members today. If we don’t manage risk carefully in the way we grow, we’ll find ourselves in trouble a year from now. When we consider how things happen, we often frame them in terms of the three key elements of people, processes and systems. However, when it comes to the control environment and the risk framework, the people element is often overlooked and not viewed to be as core as the more tangible elements of the risk and control framework such as business processes and systems.
So managing risk is very important to any organisation whether it’s for profit or government or non-profit entity. We need to make sure that we keep the momentum and desire to grow in organisations with the realities of that growth. Internal audit is very instrumental in making sure that it presents the right idea and picture of how you should grow as a company vis-à-vis the risks that are presented in your area.
What’s the relationship between external and internal audit?
The IAA Global came up with a framework that is called the ‘three lines of defense’. The reason why we call it defense is because the model has greatly helped organisations to adapt to the new norm of market volatility and uncertainty, particularly as pressure for greater levels risk reporting increased.
These ‘three lines of defense’ models focus on providing assurance within business units while at the same time providing assurance to senior management and boards that controls and processes are operating as intended. Concurrent to this is an increased focus on ensuring that organisations speak the same ‘risk’ language especially as they restructure themselves to better deal with managing the new norm of volatility.
The goal is to make profits for the stakeholders however, in order for those stakeholders to get profits from the organisation, the management needs to manage the risk. So the first line of defense for managing risk is the internal audit. Being the primary responsibility of audit, it brings the value of ‘traditional’ risk management in providing assurance or monitoring activities within the organisation. Internal audit is actually someone who is employed in the organisation, someone who’s familiar with how the organisation operates.
External audit is the next line of defense. It’s an entity that is outside of the organisation that comes in and provides credence to whatever the internal audit has managed to do as far as risk is concerned. In recent past however, we have seen that cost pressures in organisations have forced the need for leaner and more effective teams, and this has also meant that these organisations have had to become smarter in how they provide assurance and what they provide assurance on. This has meant the desire for assurance to be built into the first line or operational processes so that the second and third lines can focus on providing ‘re-assurance’.
Risk management policies should therefore be viewed as complementary to business policies rather than parallel. So we look at internal and external audit as complementary partners.
Organisations have traditionally relied on the services of external auditors, consultants or management advisors as assurance providers. Ironically, a recent study poured cold water on the reliability of external auditors to detect occupational fraud, stating that most cases of fraud are first reported by employees. What’s your take on this?
Ultimately, it is more important that an organisation understands its risks, its approach to risks and how they are being monitored and measured. It is of uttermost importance for an organisation to add value to how its risk is managed by creating some effective assurance to the management to continue operating the company on profit basis. So I don’t think that external audit should be excluded from the business.
However, just to distinguish the two, not all organisations can afford the services of external audit and the cost associated with it. When you have a small organisation, a strong internal audit can manage itself. The other difference is that when an organisation is a public organisation – basically been traded on the market – the shareholders require the opinion of the external auditors.
Therefore I would never exclude the value of the external audit.
If you recall the infamous scandal of Enron, and the issue of external auditors who did not really do a good job in ensuring they notified the shareholders, they went out of business because they did not do what they were supposed to do. All in all, external and internal auditors are the layers of security in organisations.
The aftermath of the global financial crisis has forced internal audit departments to reflect on their role, focus, contribution and size and how these should evolve in the future. How in your opinion, should the internal audit function evolve to better serve the needs of companies in a cost-efficient way in the future?
We need to look at this from two different perspectives. As internal auditors we like to look at ourselves as value partners to the management. Post the global financial crisis, organisations are increasingly facing challenges especially under pressures of regulatory and cost scrutiny. This has resulted in many companies now considering change in business operations, compliance and risk management. Companies have taken to understanding the need for a holistic view of risk across the business and therefore risk management now has a more prominent focus on board and executive agendas than before.
I think the financial crisis of 2008 was really working towards our advantage because it highlighted the value that internal auditors play in organisations, and it made management aware that we are really not ‘a cop’… here to find errors and mistakes, but rather, we are here to uncover certain risks that may create a bigger problem for the organisation. So the economic slowdown allowed the internal auditors to get into the spotlight. It also showed that as auditors, we need to do a better job and ensure security to our stakeholders and organisations.
Controls detecting and preventing fraudulent behaviour, for instance hotlines and whistleblowing have become crucial in organisations. In your opinion, should fraud controls be included in the day-to-day internal controls in the business?
It should but it’s not the job of internal auditors. Just so we make this clear, the internal auditor is not the fraud examiner, he’s not the cop, we are value-added partners that manage risks and inform the management about the risk.
However, as we do our job as auditors and we uncover alleged fraud or malpractices or potential for fraud, we highlight that in our report to the management and it is the management’s prerogative to probe it through other channels like the investigators. The ability for an organisation’s risk management framework to handle volatility coupled with a consistent risk culture is the fundamental attributes of today’s forward-thinking organisation.
According to a recent report authored by Deloitte, the added value of the Internal Audit function in 2015 will more and more be determined by its ‘impact’ on the organisation. What would you say is the one skill the internal auditor should focus more on in the future? On the same note, do you think it’s necessary for internal auditors to specialise in particular fields?
I do agree with the [Deloitte] report. Let me give you a little history about internal audit. Back in the 1920s the focus was mainly on detecting fraud and then we evolved into doing other things. As internal auditors, we mainly dealt with it from the accounting and finance point of view, but now we have moved to the entire operational cycle including marketing, human resources, IT among others. Internal auditors come from all kinds of fields and they have a say in all the systems that make up an organisation. What we focus on is what the organisation requires us to focus on.
Ideally, we would like internal auditors to specialise and that’s why the Global Institute of Internal Audit tries to attract people into the profession from all kinds of fields, including software engineers, who are the best to identify the risk in, for instance, IT.
We always rely on specialised people in the field to help us do the internal audit function. So if you look at the current members of the Global IAA, they are representing all kinds of skill set from different fields.
Why is it important to gain a qualification as an internal auditor?
The CIA, which stands for Certified Internal Auditor, gives instant recognition and credibility. Simply put, the certification of internal auditor is important because of its global recognition, which means that one can practice from anywhere in the world. One is instantly recognised to have ethical qualifications as required by the standards of the profession; he knows how to prepare audit plan, conduct the audit, report to management, and knows how to function with the management and the top executive. Therefore the certification is evident that one is qualified in this area.
On a personal level, my professional experience spans the fields of international business, marketing, customer service, leadership training and development, strategic management and partnership development. I have led the implementation of highly visible projects in the US, including for NASA, GSA, DoD and DoED. I am a Magna Cum Laude graduate, with a Bachelors degree of Science in Business Administration from Strayer University-USA, and an MBA in International Management from the University of Maryland-USA.