MESSAGE FROM THE PRESIDENT...1 IIA-Ethiopia Newsletter Progress through Sharing Informing &...
Transcript of MESSAGE FROM THE PRESIDENT...1 IIA-Ethiopia Newsletter Progress through Sharing Informing &...
1
IIA-Ethiopia Newsletter Progress through Sharing
Informing & Educating IIA-Ethiopia Institute Members
SPECIAL ISSUE VOLUME I NUMBER 7
May 2017
MESSAGE FROM THE PRESIDENT
May is International Internal Audit Month- the perfect opportunity to promote the
profession and its important role in organizational governance, internal control, and
risk management.
Since its inception in 1996 Ethiopian Internal Auditors Association (IIA-Ethiopia) has
passed through several challenges and opportunities and is thriving to continue its
journey as part of the Global Internal Audit Association (Global IIA).
The year 2016 was an exciting year in that internal auditing is given more recognition
both worldwide and locally. Such recognition definitely brings more challenges for the
profession, as stakeholders demand upgraded and quality service which the profession
under the leadership of the Global internal audit is relentlessly working at.
A favourable legal and policy environment and proactive steps is taken by FDRE
government. Recently, internal audit activity in Federal Government has been made to
report to Ministry of Finance and Economic Cooperation (MoFEC). Such move enables
the internal audit profession to grow and upgrade itself to a level where it can give a
service based on the international standards of internal auditing.
IIA-Ethiopia recently elected a new Executive Board. The new Board gladly embrace
both the challenges and opportunities that have come to the profession. It has decided
to uphold the contribution of the founders of our Association for which the awareness
month is the perfect time to do so. The foundation laid by our courageous founder
fathers is the source of strength to the new generation.
The other theme of this year’s awareness month is Systems & IT Auditing. The
astounding growth of information technology has invaded all organizations and
subsequently creates a threat to their survival due to the existence of cyber security
crime, virus and hackers. Such threats require frequent updating and adequate control.
The Global Internal Audit Association has done a lot in IT Auditing and issued several
guidelines to equip internal auditors worldwide. IT Auditing in Ethiopia, however, is in
2
its introduction stage and much has to be done to cope up with the threats and
challenges faced by organizations. As a trumpet call to embark a new effort to Systems
and IT Auditing, we have included in this newsletter three articles to show both the
challenges and opportunities existed in IT Auditing. I invite active participation in the
panel discussion organized to discuss the basics and state of IT auditing in Ethiopia.
Finally, I thank all our sponsors, Ministry of Finance and Economic Cooperation, our
institutional members, the internal audit community at large and the organizations for
which internal audit is giving service and affirm the Board’s commitment to work for
realizing a value added and supportive internal audit profession.
Samuel Ademe, CIA, EMBA
President, IIA Ethiopia
IIA Ethiopia FOUNDERS
The idea of an Ethiopian Internal Auditors Association was conceived by three
individuals: H.E. Ato Lemma Argaw, the then Federal Auditor General of FDRE, the Late
Professor Johannes Kinfu, and Ato Wolderuphael W.Giorgis, the then Internal Audit
Manager of MIDROC Ethiopia. These three people imparted their ideas to individuals
who were mainly in internal auditing work. Later on the founders meeting was called on
December 16, 1995 and was attended by fifteen members (Their names is given on
Annex-1) who elected the executive committee composed of five members and from
that day onwards the Ethiopian Chapter was officially recognized by the Institute of
Internal Auditors (IIA). H.E. Ato Lemma Argaw and Ato Wolderuphael W. Giorgis has
been made life time members of IIA Ethiopia in 2012.
This special issue highlights briefly the contribution of the three founding fathers of IIA
Ethiopia.
H.E. Ato Lemma Argaw
Ato Lemma Argaw, the then Auditor General of
Ethiopia, the founding member and the first president
of IIA Ethiopia, has contributed a lot for the
introduction and expansion of internal auditing
profession in Ethiopia.
He has dedicated himself to the development and
progress of the internal auditing profession in Ethiopia
since day one of the legal establishment of IIA Ethiopia
Chapter in Addis Ababa. Since his election as the first
president of the chapter in 1997, he has introduced a
lot of important undertakings to the chapter.
3
To mention a few of them: a qualification examination center has been opened in Addis
Ababa, Ethiopia for the first time. He was instrumental to obtain a half reduced
examination fees for Ethiopian candidates .The IIA Ethiopia library was first opened in
the compound of the Office of Auditor General. Annual conferences were held in
different ministries’ halls. He has also enabled the chapter to enjoy a half annual
affiliation fees for all Ethiopian members for a long period of time. His efforts also
enabled the chapter to get a free office in the Ministry of Finance compound.
Ato Lemma is the first and the few CGAP qualified Auditors in Ethiopia. He is a typical
and living example of a lifetime learner. Ato Lemma has also taught internal auditing in
IIA Ethiopia, Ethiopian Management Institute, Commercial Bank of Ethiopia and other
private enterprises, to promote the internal auditing profession in the country. He had
also written several articles on auditing and has presented papers at different
conferences both locally and internationally.
We members of IIA Ethiopia are very grateful and deeply indebted to him for his
dedicated service, guidance and enormous contribution to the development of internal
audit in Ethiopia and particularly to IIA Ethiopia.
The Late Professor Johannes Kinfu
Professor Johannes was Emeritus Professor of Accounting and Finance at Addis Ababa University (AAU) who dedicated all his life to education and training. He taught accounting at the Addis Ababa University for 44 years. He was also in charge of planning and served as Dean of the Faculty of Business and Economics.
His expertise and proficiency as well as his passion and dedication in the field of Accounting and Finance are unrivalled not only in Ethiopia, but also at the African level.
IIA Ethiopia is fortunate to have such a distinguished scholar as its founding member and its first V/President. Professor
Johannes was instrumental to lay a foundation for a close relationship of the Addis Ababa University and IIA Ethiopia. We at the IIA Ethiopia always remember Professor Johannes for his great contribution and dedication to the field of accounting and auditing in Ethiopia.
4
Ato Wolderuphael W.Giorgis
Ato Wolderuphael W. Giorgis who holds BBA in
Accounting (HSIU), LLB (AAU) and MSc in Internal
Auditing (City University, UK) is a long time internal
audit practitioner in both government organizations
and private companies. He is one of the founders of IIA
Ethiopia and has dedicated his life for the
development of internal auditing in general and IIA
Ethiopia in particular.
He had been an active trainer and delivered several
trainings for both IIA Ethiopia and MIDROC Ethiopia
companies to internal auditors and senior
management members when he was the Chief Internal Auditor at MIDROC Ethiopia.
Ato Wolderuphael represented IIA Ethiopia in several IIA International Conferences and
Global Council meetings and has helped IIA Ethiopia to establish a solid relationship
with the Global Association. He was also instrumental in bringing IIA Global officials to
visit IIA Ethiopia. Last year, Ato Wolderuphael donated 36 books to the library of the
Institute.
IIA Ethiopia is very grateful to Ato Wolderuphael for his relentless, sacrificial and
devoted service to the Institute.
Articles on IT Auditing
Introduction
We have included three article reviews on IT auditing and related areas which were
published on different local and international journals by an Ethiopian Author, Ato
Shemlse G/medhin Kassa. It is customary in other countries to celebrate May internal
audit awareness month by presenting such kinds of articles or reviewing different
related books for participants with panel discussion and training. The three articles
reviewed aim to motivate further reading as well as to encourage contribution for the
success of our profession. In addition, this review shows the existence of qualified
professionals in our country and if we work hard in the area we have also a good
opportunity to contribute to the development of the profession. A brief description and
address of Ato Shemlse G/medhin Kassa is given at the end of the articles.
5
Article 1: Ethiopian Banking Industries Readiness for IT security Audit
EBA® Volume 1, Feb 2015: for your further reading please refer https://www.linkedin.com/pulse/ethiopien-bank-industries-radinasse-information-audit?published=t
Audit is one of the major management and technical activities to identify all the possible
risks in any organization. Security audits is a type of audit that provide a fair and
measurable way to examine how secure a system or site really is. In the very nature
financial sectors especially, banks are more exposed to risk or security threat than any
other sectors, while they are highly aggravated to adopt new technology. Although,
security is a never ending process that requires continuous follow up but it is rapidly
changing. Therefore, Banking industries frequently need to identify their current
security status and adopt the required updated Information Security and audit.
The study has been conducted on the Ethiopian Banking Industry using mixed research
method as a research paradigm and questionnaire and interview are used as a method
of data collection. The survey result is used for identifying the readiness of banking
industry to adopt security audit, identify the required criteria’s and advise the industry
to come up to better security auditing process. Questionnaires were prepared based on
ISO, NIST and ICT readiness check list for developing country. Finally the research
proposes 12 minimum security requirements, auditors’ responsibility towards those
requirements and presents the status of Ethiopian banking industry. Consequently, the
total results of security implementation in Ethiopian banking industry based on survey
study stood at 46.2%, which shows the industry is found in an embryonic stage of
security audit readiness.
Fig: Readiness of Ethiopian banking industry for IT security Audit, Source – S. G. Kassa. Reprinted with permission
40.50 47.20
37.40
52.50 59.99
50.50 43.40 41.80 44.00 43.20 46.20
6
Article 2:Information Systems Security Audit: An Ontological Framework
ISACA® Volume 5, Sep 2016: for your further reading please refer
https://www.isaca.org/Journal/Blog/Lists/Posts/Post.aspx?ID=333
Technology is evolving at an amazing pace and offering a vital benefit for businesses. On the other hand, it has also brought ever-increasing security threats. There is no agreed upon and well-suited security audit framework for tackling IT security challenges, and there is also no holistic approach for the audit process. Because of this lack of agreement, it is getting more challenging to monitor assets; confidentiality, integrity and availability (CIA); threats; vulnerability; risk; and control.
This article proposed 8 audit processes in 1 hierarchical framework to understand and design visualizations on the previously mentioned security concepts.
The following are a few of the benefits of using the framework:
Provide a common understanding on concepts, definitions and approaches
Create a common understanding of steps and processes
Clearly show how you perform the audit
Help managers follow along with the audit stages
Demonstrate how ontological and hierarchical thinking simplifies tasks
Increase efficiency and performance
Improve skills of auditors and people in the area to manage security auditing process Build a common base for evaluation, monitoring, reporting, analyzing and training
After performing several audits, the researcher fined the framework quite helpful. Today, auditors are driven to perform risk-based audit. To identify risk-based IT auditable areasth is can be a difficult process, but this framework help to precede more on audit activity. (The Proposed ISSA ontological framework is portrayed on the next page)
7
Fig: Proposed ISSA ontological Framework, Source – S. G. Kassa. Reprinted with permission
8
Article 3: IT Asset Valuation, Risk Assessment and IT Control Implementation
Model
ISACA® volume 3, June 2017: for your further reading please
referhttps://www.isaca.org/Journal/Blog/default.aspx
The researcher proposes different models that help to measure, manage and implement
concepts objectively by using the previously proposed ontological framework. The aim
of this recent article is to help you quantitatively conduct asset valuation, risk
measurement, impact analysis and identification of the existing control gap of the
company’s IT resource for a regulatory body, management, auditors and other
concerned parties.
In general, the model would enable us to:
Quantitatively measure the value of IT assets, risk impact and control
implementation gap
Facilitate the control follow-up process
Use a common base for evaluating, monitoring, reporting and analyzing a risk
assessment
Realize the required skills of different models and security components
Understand how the weight of an IT asset is assigned
The researcher inspiration for this article came from what he observed while working
as IT and systems auditor, he and his colleagues are challenged to give equal valuation and
similar opinion on IT Asset, Risk and control implementation gaps, without existence of clear
and accepted models. Hence, in order to solve such kinds of challenges he motivated to
create this model. This model provides an easy approach to measure values of IT assets,
risk impact, threat, vulnerability and controls; quantitatively and objectively for
company managements and owners for the purpose of their critical decision making.
By this model measurement:
Assumptions for asset valuation include: The value of an asset depends on the sensitivity of data inside the container and
its potential impact on CIA.
CIA of information will have a minimum value of 1 for each.
The value of levels for CIA are as follows; A rating of 3 is high, 2 is medium and 1 is low.
9
The Value of the information asset is determined by the sum of the three (C + I + A) attributes.
Asset Value = value of ConfidentialityI + Integrity (I) + Availability (A)
(Max. Asset Value= the Sum of Max. Implemented value of CIA: 3+3+3)
Total Asset = Asset Value * Wight of Asset (Max. Total Asset: 9*3=27)
Potential Risk = Total Asset Value * Severity of Risk* Severity of Vulnerability (Max. Potential Risk: 27*5*5=675) Risk Impact = Potential Risk * Probability (Max. Risk Impact: 675*5=3375)
Acceptable Risk range from 3 to 540
Max value of Acceptable Risk:Max Asset value* Low vulnerability* Low Threat * Frequent probability = 27*2*2*5= 540
Tolerable risk range from 541 to 1215
Value of Tolerable Risk: Max. Total Asset*Medium vulnerability* Medium Threat *Frequent Probability27*3*3*5=1215 and
In tolerable Risk range from 1215 to 3375
Max value of Intolerable Risk = Max. Total Asset* Very High vulnerability* Very High Threat * Frequent Probability= 27*5*5*5= 3375
Shemlse G/Medhin Kassa, CISA, MSCS, CEH
Is Head of systems and IT audit for United Bank S.C. and a security consultant for MASSK
Consulting in Ethiopia. He has a multidisciplinary academic and practicum background in
business and IT with more than 10 years of experience in accounting, budgeting,
auditing, controlling and security consultancy in the banking and financial industries.
Kassa is highly motivated and engaged in IT security projects and research, and he
strives to update current systems and IT audit developments to keep up with the
dynamically changing world and ever-increasing challenge of cybercrimes and hacking.
He published different articles on local and international Journals.
The author of the articles can be reached at: Email: [email protected], P.O.Box: 17968
Addis Ababa, Ethiopia
10
The Current IIA Certifications
The IIA is the only certifying body for the profession of internal auditing. In addition to
offering the only internationally accepted designation for the profession, The Certified
Internal Auditor (CIA), The IIA offers five speciality designations to further distinguish
qualified practitioners.
IIA certifications is available through computer-based testing, allowing candidates to test
year-round at approximately 500 locations worldwide (1 in Ethiopia). Registration is
completed through The IIA’s online Certification Candidate Management System (CCMS).
A short description for each certification is given below
The Certified Internal Auditor® (CIA®) designation is the only globally accepted
certification for internal auditors and remains the standard by which individuals demonstrate
their professionalism in the internal audit field. Candidates leave the program enriched with
educational experience, information, and business tools that can be applied immediately in
any organization or business environment.
The Certification in Control Self-Assessment® (CCSA®) designation is an esteemed
certification for control self-assessment practitioners. It measures a candidate’s knowledge of
important CSA fundamentals, processes, and related topics such as risk, controls, and
business objectives. It is the standard by which individuals demonstrate their comprehensive
professionalism in the field.
The Certified Financial Services Auditor® (CFSA®) measures an individual’s knowledge
of audit principles and practices within the banking, insurance, and financial services
industries. Candidates may choose any one of these disciplines when takingthe exam,
regardless of their current occupational field. The CFSA is a respected certification for
practitioners of financial services auditing
.
The Certified Government Auditing
Professional® (CGAP®) certification program was designed especially for auditors working
in the public sector at all levels — federal/national, state/provincial, local, quasi-
governmental, or crown authority. It is an excellent professional credential that prepares and
qualifies practitioners for the many challenges they face in this demanding arena.
The Certification in Risk Management Assurance™ (CRMA®) program has been
designed to allow audit practitioners and others interested in risk management assurance to
demonstrate their ability to provide advice and assurance to audit committees and executive
management on whether key risk management and governance processes in their
organizations are in place and effective.
11
(QIAL®) Qualification in Internal Audit Leadership designation provides with the
opportunity to demonstrate the key leadership competencies valued by executives and
stakeholders resulting in greater credibility. (For more information on certifications visit
IIA website at: www.theiia.org/certifications)
Publications of IIA Global
The following are major publications of IIA Global for members:
The Internal Auditor Magazine – Internal Auditor is the world’s leading publication printed
by the Institute of Internal Auditors six times a year, namely in February, April, June, August,
October, and December. In its effort to disseminate the latest auditing information,
knowledge, and skills to its CIA members, IIA-Global has a bulk subscription service at a
discount price.
Global connections – is The IIAs new quarterly global newsletter distributed by e-mail to
members.
Institutional and Individual Members
To date, there are twenty three (23) Institutional and 150 active individual IIA-Ethiopia
members.
The Institutional members are: Addis International Bank, Buna International Bank,
Commercial bank of Ethiopia, Dashen Bank S.Co., Defense Construction Enterprise,
Ethiopian Electric Light, Ethiopian Electric Utility, Ethiopian Airlines, PPESA, Ethiopian
Red Cross Society, Ethio Agri-CEFT Plc., Ethiopian Insurance Corporation, Ethiopian
Shipping and Logistics Service, Ethiopian Sugar Corporation, Ethio Telecom, Kality
Construction Materials, MIDROC Ethiopia Technology Group, MOHA Soft Drinks,
National Bank of Ethiopia, Nib Insurance Company, Nib International Bank, Oromia
International Bank, and Wegagen Bank.
Individual members are selected on the basis of their university credentials and practical
experience in the field of internal auditing and related disciplines. Ethiopians and other
foreign residents satisfying these requirements are accepted as regular members. Included in
this category are academic members (whose two years of teaching is considered as a one-year
of internal auditing work experience) and student members (full-time university students who
are in their senior (final) year.
Todate, individual members pay an initial IIA-Ethiopia registration and annual membership
fee of Birr 50 and Birr 360 respectively as well as an affiliation fee of equivalent Birr amount
of USD 16.50 at the beginning of IIA-Ethiopia’s fiscal year.
12
NEWS IN BRIEF
a. Election of a New Board
The Ethiopian Internal Auditors Association conducted its Annual General Meeting on
February 25, 2017. The following new Executive Board members were elected for the next
four years.
Ato Samuel Ademe President
W/o Kokeb Ashame V/President
Ato Alemneh Abebe Secretary
W/o Tenaye Aklilu Finance Officer
Ato Endashaw Kifle Treasurer
W/o Seble Abera Member
Ato Fekadu Agonafir Member
Ato Asrat Tesfa Internal Auditor
b. 2017 Certification Application, Registration, and CPE Reporting Fee Increase
IIA Global has made a moderate increase in certification application, registration and CPE
reporting effective April 1, 2017.
2017 Certification Application and Exam Registration Fee
Product Member Non-Member
Applications USD $ 115.00 USD $230.00
CIA Part 1 USD $ 280.00 USD $395.00
CIA Part 2 USD $ 230.00 USD$ 345.00
CIA Part 3 USD $ 230.00 USD$ 345.00
Speciality USD $ 380.00 USD$ 495.00
2017 Continuing Professional Education Fees Paid Directly by Certified Individuals
Product Member Non_Member
CIA or QIAL CPE/CPD USD$ 30.00 USD$ 120.00
Specialty CPE USD$ 20.00 USD$ 120.00
13
c. 2017 May Awareness Month Celebration
The month of May is international internal audit awareness month to promote the profession
and its important role in organizational governance, internal control and risk management.
This year the major event will be the half day national symposium to be held at Ministry of
Finance and Economic Cooperation Conference Hall on 27 May 2017. This year’s
symposium aims at giving recognition for the three founders of Ethiopian Internal Auditors
Association (IIA Ethiopia), H.E. Ato Lemma Argaw, the late Professor Johannes Kinfu and
Ato Wolderuphael W.Giorgis and includes presentations and panel discussion on the
important issues related to Systems and IT Auditing.
H.E. Dr. Abraham Tekeste, minister of Finance and Economic Cooperation is expected to
grace this important event.
e. A Call for Articles and Opinion
Since IIA-Ethiopia intends to publish this Newsletter semi-annually, we would appreciate if
you could send any article or opinion related to internal auditing via [email protected]
or write to P. O. Box 26887/1000, Addis Ababa, Ethiopia. This will serve as a basis for
exchanging news, information, opinion, and suggestions.
Annex 1-
Name Organization 1. H.E. Ato Lemma Argaw OAG
2. Professor Johannes Kinfu Director of IDR/AAU
3. Ato Assefan Desta OAG
4. W/O Alia Abdulahi ALIA ABDULAHI & Co.
5. Ato Demissie G.Michael A.A BromHEAD & Co.
6. Ato Wolderuphael W. Giorgis MIDROC ETHIOPIA
7. W/O Wolansa Mekuria OAU
8. Ato Tamrate Bekele TAMBEK
9. Ato Antonio Silla ILRI
10. Ato Haile Tegegn MIDROC ETHIOPIA
11. Ato Tafesse Bekele MIDROC ETHIOPIA
12. Ato Kifle Shewangezaw THLECOMMUNICATIONS
13. Ato Abrham Gebre Yesus MIN. OF INDUSTRY
14. Ato Engdashet Gebre Hana ILRI
15. Ato kebede Tessema WONJI/SHOWA SUGAR F