Internal Audit – FAQ
- How does my company benefit from internal auditing?
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. A good internal auditing system ensures better management of your enterprise by improving its governance and risk management controls, while at the same time ensuring that your business objectives are achieved.
- What are the objectives of internal audit?
A good internal auditing system will aim to achieve:
- Independent assurance of compliances
- Risk Assessment and mitigation
- Process improvement
- What are the processes involved in internal auditing?
- Understanding of the organization, the key business objectives, policies, processes, risks, and controls
- Gathering audit evidence – Inquiry, Observation, Inspection, Vouching, Tracing, Re-performance, Analytical procedures, Confirmation etc.
- Evaluating relevance, sufficiency and competence of evidence gathered
- Data analysis and interpretation – Computerized Audit tools and techniques, Spreadsheet analysis, Statistical analysis/process control techniques, Analytical review techniques, Benchmarking etc.
- Review of Documentation/Workpapers
- Data reporting – Reporting test results to Audit Manager, developing conclusions regarding controls
Risk is the possibility of an event occurring that will have an impact on the achievement of an organization’s business objectives; measured in terms of impact and likelihood.
- Risk begins with strategy formulation and objective setting.
- Risk may relate to preventing adverse events from happening or from failing to ensure that favorable events happen.
A due diligence is defined as an investigation or audit of a potential investment, product, or a key business decision in order to confirm all facts pertaining to it. A good due diligence goes beyond
the numbers and aims to analyze what lies behind these. Since a due diligence helps to gain a deeper understanding of the target organization or investment, it is prudent for any individual or organization to carry out such an exercise in order to protect themselves against any unforeseen risks.
Financial DD: Focuses on verifying the financial information provided and to assess the underlying performance of the business in terms of earnings, assets, liabilities, cash flow, debt, management etc.
Commercial DD: Aims at understanding the market through review of market conditions, sector-specific legislation, competitor analysis, product or service assessment or any other commercial aspects the user wishes to investigate.
Tax DD: Assessment of tax impact arising from ‘change in control’, assessment of historical tax exposures, identifying tax-saving opportunities, assessment of current tax position, assessment of various modes of tax neutral deal structuring.
Human Resources DD: Focuses on the impact of human capital by identifying the qualifications, technical ability and working initiative of the target firm’s senior management personnel and key staff.
Operational DD: Consideration of non-financial (operational) matters of an investment decision, which may include assessment of systems and processes, review of the incumbent management team, staffing levels and other HR activities, or insurance arrangements and risk assessment.
Legal DD: Investigation of any legal risk associated with the rights and obligations of the investment decision. Issues may typically involve property ownership, intellectual property and employment disputes.
Administrative DD: Involves verifying admin-related items such as facilities, occupancy rate, number of workstations, etc. The idea is to verify the various facilities owned or occupied and determine whether all operational costs are captured in the financials.
Asset DD: Includes a detailed schedule of fixed assets and their locations, all lease agreements for equipment, a schedule of sales and purchases of major capital equipment during the recent past, real estate deeds, mortgages, title policies, and use permits.
Intellectual Property DD: Schedule of patents and patent applications, schedule of copyrights, trademarks and brand names, pending patents clearance documents, any pending claims case by or against the company in regard to violation of intellectual property.
Customer DD: Examination and analysis of the top customers, service agreements and corresponding insurance coverage, current credit policies, customer satisfaction score, and related reports for past periods.
A due diligence process would typically need to follow the below steps:
- Defining scope and information requirements of the Due Diligence
- Obtaining and analyzing preliminary information from the target company – this would include historical financials, recent management financials, business plans, information on banking and liabilities, information on operations, assets, employees etc.
- Understanding key transaction drivers
- Conducting interviews, review policies and procedures
- Onsite assessment and detailed walkthroughs where necessary
- Discussions with key management personnel to validate findings
- Analyzing the implications of key findings
- Issuing of a Due Diligence report
Internal audit involves a holistic approach to an organization’s governance, risk, processes and control systems. The focus of an internal audit is across functions and not necessarily financial. An external audit, however, pertains to the accuracy of the organization’s accounts and compliance of financial reporting to international standards.
An internal audit could be an ongoing activity for an organization – performed either internally with own resources, completely outsourced to third parties or as a blended activity with both internal employees and external companies. In such ongoing audits, companies prefer to have quarterly audit meetings and report discussions with the management/board of directors/audit committee.
Though less used, there are alternate approaches also to internal audits wherein the audits are carried out either once or twice a year and findings and recommendations are reported in a corresponding manner. At times, organizations also conduct an internal controls study as a one-time exercise, and this is usually followed by changes to policies, processes or the ERP.
Internal auditing is mandatory for companies operating under-regulated environments – such as publicly listed companies (or PJSCs), entities operating under rules of central institutions (such as entities regulated by the UAE Central Bank or Insurance Authority) etc.
Internal Audit is not mandatory for privately-owned companies, however, private companies that seek better governance, processes and controls conduct ongoing internal audits and use this function productively.
A forensic investigation helps to understand the root cause behind a fraud or a loss, to determine who the perpetrators and accomplices of the fraud were and get details on how the fraud was committed.
Such a report would usually be reviewed by the police or legal authorities and form an integral part of an overall case investigation.
Law: Decree 20 of the Federal Law 2018 on countering money laundering offences, combating terrorist financing and financing illegal organizations.
Executive Resolution: Regulations 10 of 2019 for a decree of federal law No. 20 of 2018 on countering money laundering crimes, combating terrorist financing and financing illegal organizations
The National Committee for Combating Money Laundering and the Financing of Terrorism and Illegal Organisations (NAMLCFTC) oversees the national risk assessment process. The UAE identifies and assesses the money laundering and terror financing risks it faces, in line with its obligations under the Financial Action Task Force Standards.
The AML law mandates the formation of an independent Financial Intelligence Unit (the UAE FIU) within the Central Bank (CBUAE). The purpose of the unit is to obtain Suspicious Transaction Reports (STRs) and related details from all Financial Institutions (FIs) and Designated Non-Financial Businesses and Professions (DNFBPs).
The AML-CFT Law states that FIs should “identify crime risks within (their) scope of work” and they also have the responsibility to update their risk assessments with regards to the different risk factors. While recognizing, assessing, and understanding the risks of the FIs, their business nature and size must be considered.
In the case of high-risk identification, enhanced due diligence will have to be conducted and cases wherein low-risk identification is identified, simplified due diligence will do.
The below-given sectors/ individuals need to comply with the AML/ CFT regulations;
- Banks, finance companies, exchange houses, money service businesses (including hawaladar or other monetary value transfer services)
- Insurance companies, agencies, and brokers
- Securities and commodities brokers, dealers, advisors, investment managers
- Other financial institutions (FIs)
All the requirements of the Financial Action Task Force (FATF) recommendations of 2012 and its methodology of 2013 are included in the AML Law and AML By-law.
The minimum statutory obligations of supervised institutions are;
- To recognize, evaluate ad understand risks
- Carry out required due diligence work
- To appoint a compliance officer to fulfill the needs of the relevant Supervisory Authority
- To ensure that the required management and information systems, internal controls, policies and procedures to mitigate risks are in place
- To ensure that the indicators to recognize suspicious transactions are in place
- To maintain adequate records
Financial Institutions are required to “maintain a risk identification and assessment analysis with its supporting data.” They can make use of diverse models or methodologies to analyze risk, based on the nature and size of their businesses.
The best option would be to contact a consultancy to ensure you are compliant with the AML/ CFT regulations. HLB HAMT works as a consultant to conduct independent assessments of Anti-money Laundering, Combating the Financing of Terrorism & Sanctions Compliance Frameworks across multiple sectors.
The go AML system was developed by the United Nations On Drugs and Crime (UNODC) to combat money laundering and terrorist financing.
Go AML is an integrated system used by financial information units to receive, analyze and distribute suspicious transaction reports quickly and effectively, and is currently used by a large number of financial information units worldwide, and the UAE is the first Gulf country to implement this modern system
Get in touch
Whatever your question our team will point you in the right directionStart the conversation