ground control - caspianmedia.caspianmedia.com/document/aa930409c62985e3b... · bhbi’s triple...
TRANSCRIPT
T h e m a g a z i n e o f t h e C h a r t e r e d I n s t i t u t e o f I n t e r n a l A u d i t o r s
I s s u e 1 2 J u l y / A u g u s t 2 0 1 3
Fair dues: why it’s important to keep up to date on discrimination Too close for comfort: how to manage potential conflicts of interestAin’t misbehavin’: do hotlines for whistleblowers really work?
Kevin Goulding, group head of internal audit at Dublin Airport Authority, on flights, finance, security and duty-free shopping
Ground control
If you hold the CMIIA Award or the PIIA Award already, take the fast track route to enhanced CPD and further qualifications and achieve:
• TheCMIDiplomainStrategicManagement&Leadership
• CharteredManagerstatus
If you’re just starting out in your career in auditing you can study for your professional qualifications with BHBi and have the Triple Qualification built into your training!
Thiswillhelpyoubecomemoremarketable,enhanceyourcareerprospectsandgainaccesstoprofessionalnetworkswhilstalsodemonstratingahighlevelofstrategiccompetenceandauditandmanagerialprofessionalism.
For a confidential discussion on how BHBi can help you achieve more from your professional auditing qualification contact:
Mark [email protected]
Paul [email protected]
Are you a professional internal auditor holding either the IIA Diploma (PIIA) or IIA Advanced Diploma (CMIIA)?
Are you just starting out in your career in audit?
PREMIER PRACTICE
Ifso,contactBHBitofindouthowtheBHBi Triple Qualificationcouldhelpyouincreaseyourprofessionalstandingandbecomemoremarketable.
BHBi’s Triple Qualification comprises of:
• CMIIA/PIIAAward
• CharteredManagementInstitute(CMI)Level7DiplomainStrategicManagement&Leadership
• CharteredManager(CMgr)status
BHBi has been quality assured and assessed by the CMI to offer the fast track route to enhanced, continued professional development. Offering a wide range of practical professional resources, CMI membership will not only enhance your employability, but help take your professional practice to the next level and beyond.
www.bhbi.co.uk/triple-qualificationCharteredManageristhehigheststatusthatcanbeachievedinthemanagerialprofession.AwardedonlybyCMI,itisrecognisedthroughoutthepublicandprivatesectors,acrossallmanagementdisciplines.
4761 CMI Ad Audit Risk AW.indd 1 17/04/2013 12:52
Contents
Front3 the IIA view From the chief executive, Ian Peters.
5 World view From Richard Chambers, IIA Global president and CEO.
7 View from the top From Malcolm Zack, head of internal audit at Post Office Limited.
8 Update The latest news affecting the profession.
10 Conference preview What to look forward to at the IIA’s annual conference.
12 reportage The findings of the 2013 Eversheds Board Report.
FeAtUres14 Holiday maker Kevin Goulding, group head of IA at Dublin Airport Authority, on local traffic and global duty free.
18 on the level Why organisations must keep up with shifting views of discrimination.
22 What planet are you on? What the audit universe means for you.
24 Conflict resolution Conflicts of interest are hard to spot and can prove expensive to resolve.
28 Good call? Whistleblowing hotlines are cheap and popular. But do they work?
reGULArs32 tools for the job How to improve the way you communicate the value of internal audit.
33 Career development Top tips for creating a new IA function from scratch.
34 You asked us Experts answer readers’ technical questions.
36 IIA update Institute news and membership matters.
38 Courses and events Key training dates.
40 student noticeboard Essential information for exam candidates.
18
22
28
We post more news and articles online every week. To access these, visit www.auditandrisk.org.uk
Published for the Chartered Institute of Internal Auditors
by Caspian Media Ltd, Unit G4, Harbour Yard, Chelsea
Harbour, London SW10 0XD020 7045 7500
Editors Keith Ryan
[email protected] 020 7045 7543
Ruth Prickett [email protected]
020 7045 7572
Chartered Institute of Internal Auditors
[email protected] 020 7498 0101
Subscriptions
[email protected] 020 7498 0101
AdvertisingIan Mehrer
[email protected] 020 7045 7596
Creative directorNick Dixon
Opinions expressed by contributors are their own.
Reproduction in whole or in part without written permission
is strictly prohibited.
ISSN 2048-8408.
T h e m a g a z i n e o f t h e C h a r t e r e d I n s t i t u t e o f I n t e r n a l A u d i t o r s
I s s u e 1 2 J u l y / A u g u s t 2 0 1 3
Fair dues: why it’s important to keep up to date on discrimination Too close for comfort: how to manage potential conflicts of interestAin’t misbehavin’: do hotlines for whistleblowers really work?
Kevin Goulding, group head of internal audit at Dublin Airport Authority, on flights, finance, security and duty-free shopping
Ground control
14
TeamMate AM is the solution of choice for 90,000 auditors in more than 2,200 organisations world-wide. AM addresses key audit management functions such as risk assessment, scheduling, documentation, issue tracking and time reporting, enablingyou to standardise and streamlineyour entire audit process.
Increase Efficiency & Boost Productivity of your Audit Process
A Breakthrough inCompliance Management
TeamMate CM is focused on themanagement and testing of SOX,Basel III, Solvency II, IT Governance or any other set of internal controls. CM allows you to view and interact with controls through an innovative user-defined structure based on multiple Dimensions and Perspectives of data that leads to greater efficiencyand deeper insight.
The integration of TeamMate AM and TeamMate CM promotes leveraging and sharing of data and work�ows across the
Internal Audit and Compliance disciplines.
The Perfect Pairing
Learn more at TeamMateSolutions.com
View from the IIA
Bank vault a great leap for internal audit“The IIA is delighted to be able to announce the launch of the first code of guidance specifically aimed at enhancing the application of the institute’s international standards in the financial sector.”
Ian Peters, chief executive of the IIA.
Risk is an integral part of the financial services sector; it’s what makes money – and loses it. One common question during the financial crash of 2008 and the various problems that the sector has had with misselling, money-laundering and fraud has been “what were their internal auditors doing?”. Often, as Barclays’ head of internal audit Michael Roemer told us in the March/April issue of Audit &Risk, the answer to this is “quite a lot, actually”. However, internal audit is only as strong as the amount of credence it is given by the board. If you muzzle your guard dog then you can’t blame it for failing to bark at the burglars.
This is why the IIA is delighted to be able to announce the launch of the first code of guidance specifically aimed at enhancing the application of the institute’s international standards in the financial services sector. This is a milestone for the sector.
The guidance is based on the recommendations of an independent committee set up by the institute. The IIA has welcomed the recommendations and has published them in full, commending them to the sector.
It is being published at a crucial time in the history of financial services, as the sector is still working out the full implications of the report of the Parliamentary Commission on Banking Standards, which has suggested that senior bankers who are guilty of reckless misconduct should be sent to prison. The
Treasury welcomed this report and has promised to consider amendments to the banking bill to back it up with legislation.
Of course, the guidance alone, however helpful for internal auditors in the sector, cannot solve some of the key problems highlighted by the commission, namely that expectations of internal audit in the sector have been too low and that internal audit has not been able to play an influential enough role in supporting executives and non-executives in their responsibilities for managing risks and controlling the business.
This is why the real significance of the new guidance is that its primary target audience is not internal audit practitioners, but boards, audit committees and senior executives. Its recommendations should gain even greater force if senior executives realise that a strong internal audit function, with real access to core risk data and a voice that is heard loud and clear on the board, could help them to stay out of gaol if things go wrong.
The guidance should also help internal auditors to put their points across more consistently and forcefully. It is intended to give greater relevance to the IIAs international standards by ensuring that best practice internal audit is expected by boards
“The guidance should help internal auditors to put their points across more consistently and forcefully”
and audit committees and delivered by practitioners, consistently across the whole sector. The recommendations seek
to enhance internal audit’s role and influence by clarifying reporting
lines to the chair of the audit committee, demanding a broad scope and coverage for
internal audit so that the function decides for itself
what are the major areas of risk and establishing that no
area of risk is beyond its focus.Last, but by no means least, the
success of this groundbreaking new guidance could enable the institute to produce similar advice for other sectors in future. This is a new departure for us in an area that clearly needs improved support from our profession and touches all our lives, but tailored guidance to enhance understanding of the international standards could help internal auditors in a wide range of organisations.
If financial services institutions agree to set their guard dogs free, then the hounds can start to protect us all more effectively.
The full guidance can be found at www.iia.org.uk/policy/financial-services-initiative/
HAVE YOUR SAY Post your comments about this
article or any of the issues raised at www.auditandrisk.org.uk
3
Complete Audit Solution100 users
£500 per month
Prepare to be very, very impressedA 5 star product for a 1 star price
PlanPerform
AssignReport
Prepare the Audit, The Team, Location, Scope, Objectives, when , questions, notify users and add it to planners.
Assign questions to team members. Who can work offline to carry out the audit. Including attachment of supporting documents,scans or images.
Create remedial actions for issues that need to be resolved, give ownership and assign with an action by date and track to completion.
Produce an Audit report with the click of the mouse, including current state of actions, performance and statistics, everything for the audit committee
To find out more or to arrange a free trial visit:
www.symbiant.net/auditTrusted by names you know from charities to banks, government to PLC.
OF AWARD WINNING SOFTWARE
14Symbiant Management Suite - The total Audit solutionManagement Suite is a unique web based modular solution that allows the wholeworkforce to collaborate on Audit, Risk and Compliance issues.
IIA FP ad Template.indd 1 19/06/2013 10:40
View from IIA Global
Keep current guidance in a changing world“I’ve been reflecting on how the world has changed since the original COSO framework was published, how important that guidance became, and how resilient it has proven.”
Richard Chambers, president and CEO of IIA Global.
Responding to monumental changes in the way organisations conduct business, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has updated its Internal Control – Integrated Framework for the first time in more than two decades.
As a member of the COSO board of directors, I’ve been reflecting on how much the world has changed since the original framework was published, how important that guidance became, and how resilient it has proven. The 1992 document remains the most widely used internal control framework in many countries. It is used throughout the world by leading international companies. It’s even referenced by the US Securities and Exchange Commission as a viable framework to evaluate and report on the design and effectiveness of internal controls over financial reporting.
When the original COSO framework was published, the internet was in its infancy. Facebook and Twitter were still a decade away – as well as a slew of corporate scandals that gave rise to the development of corporate governance legislation around the world. Internal auditing, outside the profession, was largely perceived as an accounting discipline.
Today, internal auditing cuts a much broader swath, drawing practitioners from a wider range of backgrounds, including engineering, communications and technology, to evaluate and improve the effectiveness of risk management, control and governance processes.
In the nearly 20 years since the inception of the original framework, business and operating environments have changed dramatically, becoming increasingly
complex, technologically driven and global in scope. At the same time, stakeholders are more engaged, seeking greater transparency and accountability for the integrity of the systems of internal control that support the business’s decisions and governance.
It is testament to the principle-based vision of the authors of the original framework that, despite these changes, the 2013 update, written by Pricewaterhouse-Coopers on behalf of the COSO board, does not refute the original framework. Instead it formalises the principles embedded in it and expands the discussion in the light of the different environment in which organisations are operating, taking into account issues such
as globalisation and increased expectations for governance oversight.
The 2013 framework addresses risks associated with technological advances, incorporates some of the lessons learned over the past decade about fraud, and emphasises that control is about more than just internal control over financial reporting.
COSO made a major step with this framework by expanding its applicability to operations and reporting objectives. This is especially important to internal auditors who are responsible for ensuring the effectiveness of governance and a variety of
internal controls in areas beyond finance. It
recognises that a system of internal control is all-encompassing.
One of the most noticeable differences is that
the 17 principles within the five components of internal control are
now spelled out. These principles clarify the requirements of effective internal control to facilitate designing and implementing a system of internal control and assessing its effectiveness. The framework also includes points of focus that highlight important characteristics relating to these principles.
COSO has also developed “Illustrative tools for assessing effectiveness of a system of internal control” offering templates and scenarios to help people apply the framework, and “Internal control over external financial reporting: a compendium of approaches and examples” offering practical approaches and examples to show how the framework’s components and principles can be applied when preparing external financial statements.
“When the original COSO framework was published, the internet was in its infancy.”
For Further inFormation richard Chambers writes a blog at
www.theiia.org/blogs/chambers and tweets at www.twitter.com/iiaCeo
5
Comprehensive Audit & Risk Management Software
• Modern screen design that operates globally over a range of network speeds without the restrictions of a browser interface• Flexible audit planning by entity structure & process• Home screen identification of items for your action and review• In-built audit methodology and audit report templates• Simple deployment and automatic software updates• Audit work can be focussed on risks identified from integrated risk registers
Pentana VisionGlobal audit management software
www.pentana.com/visionEnquiries: [email protected]
Call: +44 (0)1707 373335
IIA Audit & Risk Full Page July.indd 1 23/05/2013 16:56:35
View from the top
Diversity Strength in variety“Each person’s perspective is one window on a problem and having several perspectives means you can open those windows to produce effective solutions.”
Malcolm Zack, head of internal audit at Post Office Limited.
Internal audit had its roots in accountancy and finance, so it’s not surprising that many people in the profession are financially qualified. But what has changed over the quarter century that I’ve been working in the risk, audit and governance arena is the ever broadening remit of internal audit. The IIA in the UK and globally has consistently built, developed and upgraded internal auditing as a profession and a brand to be proud of.
As a head of function I have to be able to provide a view of risk and control across the business, so I cannot rely purely on the traditional source of internal auditors. In the three major organisations where I have headed the audit function, I have sought people with more diverse backgrounds, experiences, organisations and qualifications. Yes, one does need financial expertise at the core, but I could not meet my remit to the board without bringing in staff from other disciplines as well. This includes encouraging internal transfers from the business and, significantly, seeking IIA or CIA qualified staff.
Combining these skills can build a more rounded service. One of the best project auditors I have had so far in my teams was previously an experienced project manager, not an auditor. Their management skills were highly advanced and their experience juggling many demands as a project manager was an excellent grounding for running several audit projects simultaneously. When I was establishing a new team to focus on distribution and operations, I hired an experienced qualified internal auditor from outside the organisation, but also brought in a member
of staff from the business who was steeped in operations. While they knew little of internal audit, their controls and process background dovetailed well with the external hire so we could map business knowledge with risk and control expertise. Adding others with different sector experiences enabled the team to help the business move its control dial significantly.
Most of the teams I have worked with have been relatively small, but I have
been privileged to work with people from other countries who can bring different perspectives to these teams. Each person’s perspective is one window on a problem and having several perspectives means you can open those windows to produce effective solutions. Having a French man help a Peruvian on an audit in Sweden, and doing it all in English, is a bit of an eye-opener.
I joined the Post Office in October 2012 to set up its internal audit department following
its demerger from Royal Mail in April 2012. Post Office is undergoing an exciting and challenging transformational change across more than 11,700 branches – the
largest retail network in the UK. It’s a diverse organisation covering financial services,
telephony, insurance, mails, foreign exchange, mail services and government services, so the
risks are diverse too. Post Office is also keen to support diversity with
the aim of bringing in a range of thoughts and encouraging people from a
wide variety of backgrounds with different experiences to build change.
As the Post Office internal audit team develops, it will reflect those values. To meet the increasing expectations of the board, the internal audit team needs to be diverse in its thinking and capability. I will always need financial expertise in my audit teams, but it is essential to seek complementary strengths from elsewhere. A team that plays to its strengths will achieve much.
About the AuthorMalcolm Zack FCA MBA BCom is head
of internal audit at Post Office Limited. He was previously group audit director at the Brakes Group, vice-president head of operational review at Visa Europe, and held audit, risk and consulting roles at Sainsbury’s Kingfisher and the Burton Group (now Arcadia). He is a chartered accountant and a member of the IIA’s Audit Committee. The views expressed here are his own.
Having a French man help a Peruvian on an audit in Sweden, and doing it all in English, is a bit of an eye-opener
7
8
The Financial Reporting Council (FRC) has made “significant” changes to the UK’s external auditing regime through a revised standard.
The corporate reporting watchdog has issued a revised auditing standard (ISA 700) to enhance transparency in the auditor’s report by increasing communication with investors. External auditors reporting on companies that apply the UK Corporate Governance Code will be required to explain more about their work.
The FRC is also requiring boards to describe the work of the audit committee in annual reports and for the auditor to report if the board’s disclosures do not address matters it has communicated to the audit committee. Auditors will also have to inform the committee about significant audit judgments. The changes will affect audits of financial statements for reporting periods on or after 1 October 2012. The full survey report can be downloaded at http://bit.ly/13CLVZJ
There are 89 major Whitehall projects facing significant obstacles to implementation, according to a Cabinet Office review. The Major Projects Authority’s (MPA) review of the government’s 170 largest projects – together worth more than £350bn – used a traffic-light warning system to rank the schemes. Fifty-eight were rated “amber”, meaning successful delivery is “feasible”, but “significant issues exist requiring management attention”. The abolition of the Audit Commission is in this group.
A further 23 projects, including the Universal Credit single-benefit programme and the Department for Transport’s High Speed 2 rail programme to build a new line linking London to Birmingham, Manchester and Leeds, were rated “amber-red”, meaning successful delivery is in doubt. Eight schemes were “red”, where successful delivery appears “unachievable”. These included the rail franchising programme for the West Coast mainline, and a planned upgrade to the online application system for passports.
Cabinet Office minister Francis Maude said that reviews of major projects had helped to save taxpayers more than £1.7bn since the MPA was formed in 2011.”The report can be found at: http://bit.ly/1b0l2Bj
ILO: Lack of jobs will cause “lost decade”Soaring stock markets and higher profits have pushed up executive pay and left companies with cash, but they have failed to create jobs, according to the International Labour Organisation (ILO).
The United Nations (UN) agency’s annual World of Work report warns that the world’s advanced economies will suffer a “lost decade” of jobs growth, and that the risk of social unrest is rising as inequality worsens. This will be “a major global challenge for the years to come”.
The report predicts that employment rates in advanced economies will
not reach pre-crisis levels until after 2017, more than ten years after the global financial crash began.
A separate report by Eurostat, the statistics office of the EU, has found that unemployment in the Eurozone rose to 12.2 per cent in April. At 24.4 per cent, youth unemployment was double the wider jobless rate and up from 24.3 per cent in March. In Greece almost two-thirds of those under 25 are unemployed. In the UK the figure is 20.2 per cent. Read the ILO’s World of Work report at http://bit.ly/LIMqYg. Eurostat’s figures are at http://bit.ly/10MAtIX
We round up the latest business and regulatory news to affect the internal audit profession.UPDATE
AddITIOnAL nEWs, fEATuREs And VIEWs are posted online all the time. Go to www.auditandrisk.org.uk to see what’s new.
8
c-suite executives shift views on Risk Regulatory changes have caused 70 per cent of c-suite executives to make “substantial” or “moderate” changes to risk management and reporting processes in the past two years, according to a report by KPMG.
To see the report, visit http://bit.ly/Wn4GG5
fRC revises standard on audit reports
Whitehall has 89 “problem projects”
99
un waRns companies to engage moRe with disasteR Risk
HsBC hires ex-MI5 bossHSBC has hired former MI5 chief Sir Jonathan Evans to help Britain’s biggest bank clean up its act after US authorities fined it nearly US$2bn for acting as a conduit for Mexican drug money and breaking sanctions.
Evans will join as a non-executive director and will sit on HSBC’s financial system vulnerabilities committee.
Other banks have made high-profile hires to improve their regulatory compliance records. Barclays made Hector Sants, former CEO of the Financial Services Authority, its head of compliance and government relations, while Royal Bank of Scotland made Jon Pain, another former FSA director, its compliance chief.
The United Nations has warned that economic losses from disasters have spun out of control. It is calling on the world’s business community to incorporate disaster risk management into their investment strategies to avoid further losses. To read the latest Global Assessment Report (GAR13) by the un Office for disaster Risk Reduction (unIsdR), go to http://bit.ly/13dxZ1A
natuRal catastRophe Risk RepoRtZurich Insurance Group’s “Natural catastrophes: business risks and preparedness” survey has found that companies recognise the potential risks posed by natural catastrophes, yet still have insufficient mitigation plans. for more information, go to http://bit.ly/11Eb7M8
IT security standards setter ISACA has issued new guidance outlining key questions for boards of directors to ask to ensure their enterprise’s cloud initiative is in line with business objectives and the organisation’s risk tolerance.
According to the white paper, boards should ask whether management teams have a plan for cloud computing and if they have weighed the value and opportunity costs. They should ask how cloud plans support the enterprise’s mission; whether executive teams have properly evaluated “organisational readiness” so that cloud processes work alongside those already in place; and whether management teams have considered existing investments that might be lost in their cloud planning.
Lastly, boards need to ask whether the organisation has strategies for measuring and tracking the value of cloud return versus risk.full details: www.isaca.org/cloud-governance
Cloud governance: 5 questions for boards
nHs “will not achieve £20bn savings”, say fdsMost NHS finance directors think the health service will fail to meet its target of £20bn “efficiency savings” by 2015, according to a King’s Fund survey.
Of the 51 finance directors polled by the health think-tank, almost all (96 per cent) estimated that the risk of the NHS failing to meet its £20bn efficiency target was “50:50 or worse”.
In terms of patient care, 40 per cent of finance directors believe the quality in their area has deteriorated over the previous year, and more than two-thirds (69 per cent) said that the government’s reforms had had a negative impact on performance.
According to the King’s Fund, this pessimistic outlook reflects the degree of financial pressure the NHS is currently facing. Savings so far have come largely from staff pay freezes and cuts in management costs.
The survey was published alongside the King’s Fund’s latest quarterly monitoring report on the NHS. This showed that the number of people who have waited more than four hours in hospital accident and emergency departments has hit a nine-year high.Read the full report at http://bit.ly/15x8BeX
10
“Expect More – Harnessing The Power” is the theme of the 2013 IIA conference, which takes place on 11-12 September at One Wimpole Street in London. Internal audit is facing increasing demands as organisations struggle with economic challlenges, so speakers will focus on how it can make a real difference to business success.
This year’s conference features over 30 sessions led by experts from well-known organisations. In addition to the main talks, delegates can choose from a range of practical sessions, where they can get advice, find out about tried-and-tested approaches and make contacts. The free exhibition will also provide opportunities to find out more, while networking over tea and coffee.
Day oneThe first day focuses on risk management. Speakers will look at the ways in which internal audit departments need to transform themselves into key players by identifying problems before they happen and providing insights into the effective management of risk so they add value to the organisation as strategic advisers.
Roger Marshall, director of the Financial Reporting Council, will give the keynote session on expecting more from internal audit and how new guidance on IA in financial services can be harnessed in other sectors. He will be followed by David Law, group risk and compliance director at Tunstall
Healthcare Group, who will offer a strategic overview on the key risk-management challenges currently facing boards.
Armand Lumens, chief internal auditor at Royal Dutch Shell, will then take the stage to share tips for delivering the successes of internal audit to the executive board. He will examine how to ensure that decision-makers in your organisation focus on the right risks, how to engage effectively with management teams and ways to ensure that the decision-makers receive the information they need.
After lunch delegates will separate into a variety of practical sessions focusing on different aspects of how to scan the horizon to identify emerging risks for their business.
Day two Sessions on the second day will focus on broadening the role of internal audit to ensure it is relevant and seen to add value to the business. The morning sessions offer a strategic overview with leading HIAs giving their views on contributing to business strategy and business change.
Sally Clark, chief of administration in Barclays Internal Audit, will examine how to give expertise and business insight into strategic initiatives and the ways this enables internal audit to contribute to strategy.
Mark Fensome, director of group audit services at Tui Travel, will follow this with a session on how internal audit can deliver value during business change and suggest
ways to develop the internal audit strategy to look at change. The rest of the morning will be spent in practical sessions that allow participants to explore a variety of topics from the changing role of internal audit and effective interaction with other assurance providers to the internal audit skills that will be needed in the future.
The final afternoon will focus on the soft skills required by all internal auditors. One of the key issues is communication, essential both at strategic level and when dealing with management at operational levels. Session leaders will examine the role of internal audit as a key area for growing potential talent.
The conference will end on a positive note, emphasising the strength we gain from the unity of the internal audit profession. The final session will discuss how to work across cultures, how to work together as professionals and how internal auditors can come together for the 2014 International Conference in London.
For more inFormationVisit www.iia.org.uk/conference to
see the programme and book a place, or contact [email protected]. Book before 31 July for a discounted price of £635 plus Vat (members) or £835 plus Vat (non-members). if you would like to exhibit at, or sponsor, the conference, contact [email protected].
Conference preview
Businesses and stakeholders are demanding more of internal audit, so the IIA’s 2013 conference focuses on its power to make a difference in challenging times.
Harness the power
Expect more – harnessing the power
Internal audit has never been more challenging. Continuing economic uncertainty and emerging risks mean that internal auditors are working harder than ever.
By taking the initiative, internal auditors can enhance their role and become even more relevant to the business. Our conference will provide the strategic and practical sessions you need to broaden the role and success of internal audit.
Sessions for this year include:
s Expecting more from internal audit – new guidance for boards
s Risk management – the key challenges facing boards
s Delivering internal audit success to your executive
s Horizon scanning – how to anticipate and identify emerging risks
s Giving expertise and business insight into strategic initiatives
s Internal audit and business change – delivering value
IIA Annual Conference 201311-12 September 2013
Find out more at www.iia.org.uk/conference
BOOK BY 31 JULY
EARLY BIRDS SAVE!
12
REPORTAGERisk strategy is now higher on the board agenda and a board’s key challenge is how to balance growth and risk, according to the 2013 Eversheds Board Report. The report also highlighted that diversity has risen up the board agenda, 61% of directors saying that diversity on the board is key to good board performance.
There is more evidence of positive dialogue between shareholders and boards. The average AGM approval rating for executive remuneration packages was over 90%, except in the US where it was 80.5%.
Boards have got smaller
the average board size was
13.4 directors
In 2012 it was
12.3 directors.
8% decrease in the average number of
directors on the board over
the past five years.
In 2007
93% of board directors
believe that an effective board
should have fewer than
12 members.
Risk strategy
13
The research involved 542 of the world’s leading companies, including the top 100 companies in the UK, Europe and the US, over 120 Asia-Pacific companies, 50 Middle Eastern companies and 30 companies from Brazil. To request a copy of “Eversheds Board Report: The Effective Board” visit: http://bit.ly/YZtn6n.
60 is the average age of directors.58 is the average age of chairmen and CEOs of the top 50 companies.
Directors are staying in their roles for longer. The global average tenure of directors is 6.7years on the board – an increase of 13% in five years. There is a positive relationship between longer tenure and share price over three- and five-year periods.
Top challenges facing the board were:
of directors said that their board’s approach to risk had changed in the past two years and it is now higher on the board agenda.72%
Growth strategy
Economic climate Regulations
Directors’ views on the type of diversity that has the most effect on board performance:
49% cited experience and sector diversity
25% cited international experience and background
16% cited age and generation
10% cited gender
the overall average decrease. The largest decrease was in Europe (60%) and the smallest decrease was in Australia (8%).
The number of executives on boards decreased in all regions.
34%
The trend is to have fewer executive directors on the board. • In 2007 there were
3.2 executives to 10.2 NEDs.
• In 2012 there were 2.1 executives to 10.2 NEDs.
• The top 50 companies had 2.4 executives to 8.2 NEDs – 22.3%.
51%
thought that chairmen could enhance the way in which boards engage with different stakeholders.
50%
increase in the percentage of female directors on boards across all regions. However, this is from a low base. The largest increases were in Europe (156%) and in Hong Kong (133%).
14
The airline industry has been one of the hardest hit since the global economic crisis gained momentum. While passenger numbers are moving back up to pre-2008 levels globally, profit margins have narrowed for most, and the environment is set to remain challenging for some time, according to the International Air Transport Association, the major industry body.
Yet there are always some that buck the trend and succeed where others struggle. Dublin Airport Authority (DAA), which is state owned, but operates on a stand-alone commercial basis, runs Dublin and Cork airports and delivered a solid performance last year. Turnover increased by three per cent to €575m, while profits (excluding exceptional items) grew by 66 per cent to €43m. Group operating costs fell, while passenger numbers rose – 8.8 million passengers used the recently opened Terminal 2, which is driving the airport’s long-haul growth.
So far this year, the positive upturn looks set to continue and there are signs that even more people will be jetting to and from the Irish capital over the summer (see box on page 16).
Kevin Goulding, DAA’s group head of internal audit, is confident that the airports can cope with the projected surge in demand, and that the necessary controls
are in place to ensure that passengers have a smooth journey and that internal audit is
not run ragged. “Increased capacity and larger passenger numbers are always a risk issue, but the
opening of Terminal 2 a couple of years ago reduced those capacity risks,” he says.
Care of dutyBut Goulding’s internal audit team is working in a business that is far more complex than that of many airports. DAA has three strands to its operations. The most important and resource-intensive of these is running Dublin and Cork airports. In the past few years it has also developed a consulting arm that provides advice to airports that are, for example, planning to develop new terminals, facilities and business opportunities. Third, over the past 50 years, it has developed an enviable sideline in duty-free/duty-paid shopping with its retail business Aer Rianta International (ARI), one of the world’s largest airport
Holiday maker As the holiday season approaches, most people start thinking about a couple of weeks in the sun. But, as Kevin Goulding, group head of internal audit at Dublin Airport Authority, explains,the season brings more complicated challenges for those running airports.Words: Neil Hodge Photographs: Mark Nixon
Kevin Goulding: in numbers• 1998 to 2004 – senior internal auditor at Jefferson Smurfit Group plc (including secondments to the SAP implementation).• 2004 to 2011 – head of internal audit and risk management at Kingspan Group plc. • Jan 2012 to present – head of internal audit at DAA. • He is a qualified accountant with the Chartered Association of Certified Accountants and part of the IIA’s heads of internal audit service
15
“Increased capacity and larger passenger numbers are always a risk issue, but the opening of Terminal 2 reduced capacity risks.” { }
16
duty-free and duty-paid retailing companies with an interest in 24 airports in 14 countries.
During 2012 ARI generated profits of just over€€27m. It saw strong sales growth in the Middle East and in India, where annual sales at its Delhi Duty Free passed US$100m for the first time. ARI also opened its first Chinese stores in 2012 and has recently been selected as the preferred bidder for the duty- free business at Mumbai’s new Terminal 2, which means that ARI will be operating the key duty free outlets at India’s two main international gateways. This will give DAA a very strong position in one of the world’s most important growth markets.
As a result, Goulding says that internal audit’s work is increasingly involved with the way that the business is expanding internationally. “Bidding for duty-free contracts is big business for DAA and the organisation keeps an ear to the ground to find out when a new opportunity might become available. Our work involves providing assurance on financial statements. In order to win these contracts, the organisation has to give guarantees and provide sound financial forecasts on the amount of revenue and customers it can bring in. We need to check the information behind those figures,” he says.
His team will audit the activities of each ARI subsidiary every two to three years. “This process is complex for a number of reasons. First, it is a question of resources. We have a small team so we need to ensure that resources are deployed in the most effective way possible. The other issue is that many of the ARI operations are joint ventures, and we may need to agree a ‘right to audit’ with the other party. Added to that, joint venture partners may have their own internal audit teams and external auditors, so sometimes we can leverage off their work,” he explains.
Fully automaticAnother area of financial risk for internal audit relates to loss of revenue or “revenue leakage”. “The financial controls we have in place are robust and the business model we use has been established for a long time, so we are aware of the risk profile,” says Goulding. “However, some of our invoicing involves a degree of manual input and that is a concern. The business is trying to automate more of these processes, and internal audit is monitoring progress,” he says.
IT risk is already at the heart of his team’s work. “Our business is very IT-driven,” he says. “There are around 180 different types of IT system across the organisation; everything from the usual desktops to check-in terminals, CCTV, security scanners and arrival and departure monitors. We have identified about 25 of these as critical. We have to make sure that these systems will work and that there is a back-up process we can switch to very quickly if anything goes wrong. Business continuity is a major focus for us.”
To ensure that the risk of IT disruption remains low, internal audit has a policy of communicating the importance of “patch management” throughout the organisation.
“It is hugely important that everyone is using the latest – and safest – versions of software on their systems, so the IT department sends out communications notices to remind people to install the latest patches made available by software providers to get rid of any vulnerabilities,” he explains.
Developing high flyersGoulding believes that it is important for internal auditors to move into other departments in the organisation after two or three years. He also likes to “mix and match” his staff so that members of his team get to experience all aspects of internal audit work. “I don’t want people to be stuck looking at one area of work all the time, such as regulatory compliance. I want my team to be flexible and to experience the whole range of work that internal audit does so that they get variety, enhance their skills and can benefit the wider business if they move into another department in the organisation,” he says.
Goulding’s first dedicated internal audit role after qualifying was at paper and packaging company Jefferson Smurfit Group (now Smurfit Kappa), where he was mentored by a head of internal audit who constantly stove to make the function “best
Black box: the business figuresDublin Airport Authority (DAA) runs Dublin and Cork airports (Shannon Airport was ceded in December). In 2012 turnover increased by three per cent to €575m, while profits (excluding exceptional items) grew by 66 per cent to €43m. Group operating costs were slashed, running at eight per cent below 2008 levels when Dublin Airport was operating with only one terminal.Passenger numbers
at Dublin and Cork airports were up by 1.6 per cent – equating to 340,000 extra passengers – while the number of long-haul passengers travelling through Dublin Airport grew by 16 per cent, owing to new capacity on routes to the Middle East and to North America. About 10.3 million passengers used Terminal 1 at Dublin Airport in 2012, while 8.8 million passengers used the
recently opened Terminal 2, which is
driving the airport’s long-haul growth.
In the first three months of 2013 passenger numbers at Dublin were up four per cent and eight new services have started flying since the start of the year. The airport has secured new transatlantic capacity so that 224 flights a week will operate during the peak holiday season.
“Bidding for duty-free contracts is big business for DAA and the organisation keeps an ear to the ground for new opportunities”
17
in class”. “That experience shaped the way that I think about internal audit a lot. My then boss always looked at what value internal audit could add to the business and he put a strong emphasis on having different skill-sets, and I share exactly the same view,” he says.
He took up the role of group head of internal audit at Dublin Airport Authority (DAA) in January 2012. Before this he spent over seven years at Kingspan Group, which provides environmental, construction and renewable energy products. He enjoyed this job, which included setting up the internal audit and risk-management functions, but a seven-week spell in hospital after a routine appendix operation went wrong and nearly killed him put the constant travelling into perspective.
“Around 96 per cent of Kingspan’s business was outside Ireland, so my work involved a lot of air travel. I felt like George Clooney’s character in the film Up in the Air – I always seemed to have a bag packed and I was constantly living out of a suitcase, collecting air miles and hotel booking points. My near-death experience put my lifestyle into perspective, and I thought I’d look for a new challenge that kept me close to home,” he says.
One of Goulding’s first tasks when he took charge of the internal audit function at DAA
was to make personnel changes within the existing staff. “Over the previous three to five years some of the more experienced internal auditors had left the organisation to take up opportunities outside DAA. They had been replaced by personnel from other parts of the business with less traditional auditing experience, but with a great knowledge of the operation,” he says.
“While their technical knowledge of the business was a huge asset, some of the team did not have all the requisite formal audit training and qualifications. Some of them had also been moved into the audit function temporarily and had stayed in the team longer than originally planned, so it was time to find new roles for them in the business. My approach is that the internal auditing department should be a springboard for new talent whereby recently trained and qualified auditors are brought into the organisation, and then move out into the business after about two years in audit,” he explains.
The redeployment took longer than expected, but Goulding says that he now has a team of five, including four qualified internal auditors. He is currently looking for an IT audit manager plus another internal auditor to focus on the international side of the business. This will make the team “about the right size for the organisation and quantity of work that we are doing”, he says.
His longer term plans could also involve internal audit working more closely with external teams. While he does not have a co-sourcing arrangement in place with any third-party provider at present, he concedes that he may look more closely at this option as the international side of the business grows. This could be particularly useful where the team needs local language skills, he points out. He also wants to build up the relationship internal audit has with external audit for “their shared mutual benefit”.
“In my last role at Kingspan we carried out a number of joint audit assignments across the US business with the external auditor so that skills and experience were pooled and costs were reduced. In effect, for certain locations I ensured that the requirements of the external audit programme were fully covered by the internal audit programme and that work papers were robust enough to be relied on by external audit,” he says.
“It is more difficult to create that relationship here because external audit is statutory, there are issues surrounding independence and safeguards would need to be established. However, there can be real benefits from sharing certain work to minimise duplication of effort and to ensure there is sufficient leverage off internal audit work,” he adds.
18
What is discrimination? It depends on what the law says – and on what your staff and customers think it is. New legislation can lead the way by prompting organisations to change the way they act and imposing penalties on those seen to be discriminatory, but it is not the whole story. Diversity and discrimination are two sides to the same coin and the opportunities as well as the risks continue to evolve.Words: Alice Hoey Illustration Paul Blow
“Despite the changes so far, UK laws may not yet have caught up with society’s desire for equal opportunities”
ON the level
The UK has had laws to protect individuals from discrimination on the basis of gender and race since the1970s
19
When the new Mental Health Discrimination Act came into force in April 2013, it changed relatively little – most significantly for businesses, it revoked a previous provision that prevented people from serving as company directors on account of their mental health problems – but it was symbolic. It addressed the last significant type of discrimination in our society today, mental health.
The UK has had laws to protect individuals from discrimination on the basis of gender and race since the 1970s, with protection expanded in the 1990s to include disability. Since the turn of the century, religion or belief, sexual orientation and age have also been added to the legislation.
The most significant legislative change, however, was the introduction of the Equality Act 2010, which brought all the discrimination laws under one statute and gave them equal weighting. It also expanded existing protection to include marriage and civil partnership, pregnancy and maternity, and gender reassignment.
Developing diversityDespite the changes so far, UK laws may not yet have caught up with society’s desire for equal opportunities. “There is, for example, some recognition by the public that discrimination based on factors such as social class exists,” says Dan Robertson, diversity and inclusion director at the Employers Network for Equality and Inclusion, “but the legislation on this issue is absent”.
The debates over diversity are far from over and can evolve
quickly. London’s prestigious Imperial College recently withdrew its offer of a short internship in its science labs from a fund-raising auction at Westminster School after there was an outcry on scientific blogs and among its own students, who protested that internships should be available only on merit, not for A-level students with the richest parents.
Similar concerns have been raised more broadly about unpaid work placements in large organisations, which are seen to give an advantage to people whose parents are willing and able to support them while they work.
Meanwhile politicians, church leaders and pressure groups across Europe have been hotly debating the issue of whether gay couples should be allowed to marry – the first French same-sex couple married in May, while the UK and German governments are struggling to find solutions that are acceptable to groups with strongly held opposing views.
Other nations also influence the development of UK legislation, says Karen Jackson, a partner at DID Law, which specialises in disability discrimination and workplace health issues.
“Some Scandinavian countries have taken the lead on the issue of gender equality in the boardroom. In Denmark, for example, they now have quotas as part of their effort to even out the gender balance at the top levels of large companies,” she says. The US tends to be at the extreme end of the curve. “For example, it has legislation protecting against genetic discrimination, where an
s
“Despite the changes so far, UK laws may not yet have caught up with society’s desire for equal opportunities”
employee is tested for a predisposition to genetic disease.” This issue may become more important in other countries if such tests become more widely available.
The ability of digital channels such as Facebook and Twitter to enable people to express discriminatory opinions – or tell ill-timed, insensitive jokes – is also affecting employers, who can be caught in the fall-out when staff hit the headlines. The recent appointment of Paris Brown, a 17-year-old hired as Kent’s first youth police and crime commissioner, fell apart when her silly, inflammatory tweets came to light. After several days of media attention and considerable embarrassment for the Kent police and crime commissioner who had hired her, Brown stepped down. The tweets were not seen as a criminal offence, but the authority was criticised for failing to check the candidate’s online media profile.
Emails can also provide evidence of discrimination. In the mid-1990s a woman who worked at a City bank brought a sex discrimination case against her employer and used personal email comments by colleagues and bosses as evidence. Few people were probably surprised at the time that some male bankers had sexist attitudes – but the case was notable for the way in
which it highlighted an emerging risk from internal emails.
But, according to Jackson, the UK government has little appetite to increase anti-discrimination protection at present.
She says that she has seen a fall in the number of claims relating to sex and race. “This is partly because the law around these has had longer to bite, but also because most employers are on side with these laws, understand them and provide diversity training around them,” she explains.
However, she is seeing more employment tribunals on the grounds of disability and age discrimination. This is unsurprising, she says, given the ageing population and the abolition of the default retirement age.
In future, she warns that organisations may need to pay more attention to other areas of discrimination that have had a lower profile in the past. “Religion and belief have had quite a high profile in the media, with cases such as Eweida v BA and the B&B owners who turned away a same sex couple hitting the headlines. Employers ought to be tuned into this,” she says.
Keeping step Internal audit plays an important role in ensuring organisations have the proper
procedures to assure against these risks. Most important, according to Alistair May, affiliate member of the IIA and head of internal audit at the Scottish Government, is assurance that the issues identified are being taken forward positively and that successful outcomes are achieved. “The key risk,” he says, “may be that the hoped for outcomes do not materialise, which would be particularly disappointing for both ministers and management.”
Discrimination has been a priority for the Scottish Government. “Most recently, following the Equality Act 2010, Scottish ministers made regulations placing specific duties on Scottish public authorities to enable the better performance of the public sector equality duty,” May says.
One legislative result of this focus was the offensive behaviour at football and threatening communications (Scotland) bill, which was passed in December 2011 and aims to tackle particular problems in Scottish football and society.
The Scottish Government is required to carry out an equality impact assessment when new policies are introduced. “As internal auditors, we are sometimes asked to provide advice on the development of new policies and this is one of the key areas
Court in the actWhat are the risks of failing to comply with equal opportunities and discrimination laws?
“One problem with anti-discrimination laws is that they can attract unscrupulous claims,” says discrimination lawyer Karen Jackson, who has defended many employers against employees who see a performance-linked dismissal as discrimination. “The best way for businesses to protect themselves is to ensure they have a thorough and well-documented policy but, more importantly, to police that in the workplace, crack down on unacceptable behaviours (especially among managers
who should be setting the tone) and provide regular training around the issues.” Training is essential, partly because people don’t always realise they are acting in a discriminatory way.
Businesses also need well-documented and fair HR procedures to back up their actions and decisions.
“It is alarming how often HR representatives make procedural errors that land their employers in hot water,” says Jackson. While this can be easily remedied with the right processes –
keeping a paper trail of documented meetings, phone calls and discussions – many organisations fail to
put these in place. “Employers often
can’t demonstrate that they considered a decision, because it happened during an informal chat between managers and HR and there is no record,” she says. While records such as file notes are useful, email should be limited because “it can leave a trail of incriminating evidence and employees can ask employers to provide data
about them under the Data Protection Act”.
Simple HR procedures, properly followed, can protect against claims of unfair dismissal on the basis of discrimination. For example, organisations must follow the right steps in the dismissal process – they shouldn’t go from a first informal chat to a dismissal without giving the employee warnings or help to improve. Witnesses at meetings are also a good idea, says Jackson. “In employment tribunal proceedings contemporaneous written evidence will almost always be preferred over an individual’s word.”
20
The ability of digital channels such as Facebook and twitter to enable people to express discriminatory opinions – or tell ill-timed, insensitive jokes – is also affecting employers, who can be caught in the fall-out when staff hit the headlines
we look at to ensure it is being addressed properly,” May says.
Legislative changes have not necessitated changes to internal audit procedures, because, May says, the government’s systems, processes and culture have evolved to reflect changes in attitudes and behaviours and new priorities. “For example, Scottish Government employees have a mandatory requirement to set a personal objective linked to diversity. This can be to do with working relations or conditions, developing processes or promoting policies. Some auditors can link their diversity objective to some of their audit assignment work where there is a natural alignment,” he explains.
Internal audit has had specific input in developing the Certificates of Assurance (CoA) process, he adds, which requires all deputy directors to complete a self-
assessment checklist. “The internal auditors were at the forefront in introducing the CoA process. This is now being reviewed and some of the diversity assurances it contains may need to be refreshed. We refer to these checklists in the course of related audit assurance work and look for evidence to support the self assessments declared.”
The up sideIt is easy to focus on avoiding the risk of discrimination and, ultimately, a legal battle. More positively, there are real benefits for organisations that embrace greater diversity.
“There are studies, specifically by McKinsey and Catalyst, that show a correlation between increased diversity and improved quality of decision-making, while a number of studies also link a higher representation of women on boards with
business performance,” says Robertson. “What’s more, treating people fairly has a positive impact on the ‘psychological contract’ and thus improves productivity and profitability. There are also benefits to being seen as an employer of choice,” he adds, pointing out that the post-baby-boom generations put a diverse workforce high on their wish-list for employers.
While most companies focus on discrimination as an employment issue, it’s worth remembering that in many cases a company’s staff are also its customers, local ambassadors and frontline communicators. One IT company in the US found that customers reacted better when they diversified their engineering teams by recruiting people from a wider range of backgrounds and training them internally. Sending people who reflected the range of people who worked in their customers’ offices, rather than a team entirely made up of white men who all had the same qualifications, meant that customers felt they could ask more questions and gained better service.
Supermarkets and DIY stores that have made an effort to recruit older staff have found that these employees are often better informed about products and more committed to their jobs than much younger staff, who see the job as a stepping stone to something else or a short-term option, although older workers may be less able to take on heavy physical work. Older customers often appreciate being able to talk to someone more like themselves who understands their needs.
You don’t need to spend much to ensure your company is an equal opportunities employer. The average cost of putting basic procedures in place is less than £1,000, according to the Employers Network for Equality and Inclusion.
As new issues come to the fore and attitudes in society shift, there is scope for further changes and emerging risks. Organisations and internal auditors need to stay on their toes.
21London’s prestigious Imperial College recently withdrew
its offer of a short internship in its science labs from a fund-raising auction at Westminster School after there was
an outcry on scientific blogs and among its own students who protested that internships should be available only
on merit, not for A-level students with the richest parents
One of the questions I am regularly asked in my professional and academic capacity is how I quantify my organisation’s internal
audit universe. To this my reply is usually: “Well it’s good to be an internal auditor rather than a scientist.”
Professor Brian Cox writing in the Wall Street Journal in April 2013 explained: “Quantum theory tells us that the universe we experience emerges from a bewildering, counterintuitive maelstrom of interactions between an infinity of recalcitrant sub-atomic particles.” Believe me, defining the internal audit universe is much simpler than that, although the principles may well be similar.
The definition of internal audit quoted in the International Professional Practices Framework (IPPF) gives us a clear steer that we should be concerned with an organisation’s operations; in other words, everything that our organisation encompasses and interacts with. In such terms, both the quantification of the scope of operations and their review clearly represents a massive task, but if we do not attempt to consider the entirety of the
whole, how can we decide where we should focus our attention?
So the issue becomes not “what is the size of the universe?”, as this is a simple if exhaustive exercise, but rather “what is the extent of the focus for our internal audit plan in strategic and operational terms?”. I therefore offer two views of how a head of internal audit might advise an audit committee over the components of the internal audit plans.
The increasing prominence of governance statements and the requirement for transparent reporting of significant risks provides guidance that what matters is the assurance needs of internal and external stakeholders. The aim of the board is to
deliver a clean opinion on the position of the organisation. It needs to
know whether internal audit is able through its periodic and annual reporting to deliver an assurance report that supports such a statement.
This should direct the focus of our internal audit
plan. Can we provide assurance opinions in relation to what the
board would not wish to report, presumably covering a triple bottom line of sustainability, corporate social responsibility and financial performance? We might consider this as the “corporate dashboard”.
22
If we do
not consider the whole, how can we decide where to focus
attention?
Professor Robin Pritchard explores the meaning of the universe in internal auditing terms.
What planet are you on?
A different way to approach this could be to look at where the board gets assurance from – this is a pre-requisite of governance codes and the IPPF (standard 2050). This requires analysis of the three lines of defence, in which inherent and residual risk are assessed, before management can provide assurance over the operation of procedures. At this stage we can assume that residual risk is likely to fall into one of three categories:
• Deep purple – an unacceptable level of risk remains, which is above the risk appetite of the board.• Purple – the level of risk exposure requires constant monitoring by executive management.• Violet – a level of risk that is unlikely to cause business disruption.
Such analysis of the risks can be transposed into three areas of internal audit activity. At the deep purple level management will implement solutions to bring risk exposure within the risk appetite of the board. Internal audit activity is likely to be of a consultancy or advisory nature.
In the purple area there is a control risk line where, if key controls failed, the organisation would be exposed to unacceptable or even catastrophic risk. This is where internal audit needs to provide assurance-based work as a third line of defence.
The violet area is likely to feature operational activity. Therefore some compliance audit may be appropriate to reassure the board about the continuity of control and to contribute to overarching opinions relating to control, governance and risk management.
The essential aspect of the internal audit plan is therefore risk-based, featuring not only the areas of perceived greatest risk, but also key controls within them. These will be the areas that the head of internal audit will recommend to the audit committee for attention, since this will directly support the governance statement. Areas where consultancy or compliance audit may be required are likely to be at the request of
executive or operational management. The significant question for heads of internal audit is, therefore, whether you are engaged with this level of strategic risk within your organisation. If so, do you have the appropriate level of resources and skills to deal with risk issues that will arise across the spectrum of activity that your organisation encounters? I believe that world-class internal audit teams are multidisciplinary and reflect the nature of the organisation, with audit staff also being appropriately trained in internal audit practice so that they can fully associate themselves with the fundamental responsibilities of the role.
We should therefore focus not on the whole universe, but on the most relevant aspects of it to help our organisations achieve objectives by delivering assurance that systems of control, governance and risk management are appropriate.
PROfessOR RObin PRitchaRd is head of the centre for internal
audit, Governance and Risk Management at birmingham city business school. he is chair of severnside housing and manages his own consultancy, Ra business services. for iia guidance on the audit universe visit www.iia.org.uk/audituniverse.
23
“World-class internal audit teams are multidisciplinary and reflect the nature of the organisation”{ }
categories of residual risk
Critical4
Major3
Moderate2
Minor1
AlmostNever
1
Unlikely
2
Likely
2
AlmostCertain
4
1 2 3 4
2 4 6 8
3 6 9 12
4 8 12 16
IMP
AC
t o
N b
Us
INe
ss
L IkeLIhooD of oCCUrrINg
Acceptable level of risk subject to regular monitoring
Risk management measures need to be put in place and monitored
Unacceptable level of risk exposure, which requires extensive management
24
Words: Peter Curtis
When the Financial Services Authority (FSA) fined fund manager Martin Currie £3.5m in 2012 for failing to manage a conflict of interest between clients, it was a sign of heightened regulatory scrutiny of asset managers’ approach to managing such issues.
In November last year, the FSA sent the chief executives of every UK asset manager a letter asking them to confirm that their firms had adequate conflict procedures in place. And, under the guise of the new Financial Conduct Authority (FCA), it is now said to be considering multi-million-pound fines for fund managers that use investors’ money to pay investment banks for access to the CEOs of their corporate clients (reportedly up to $20,000 an hour).
But conflicts of interest can occur in all types of organisation. For example, the Financial Reporting Council (FRC) recently announced two investigations into the audit arm of KPMG over possible conflicts. And last October the European Court of Auditors found that a number of EU agencies, including the European Food Safety Agency and
the European Medicines Agency, had failed to manage conflict of interest situations adequately.
Sources of conflictConflicts of interest can occur in a wide range of situations. They might involve a clash between an employee’s personal interests and those of their employer’s customer or stakeholder. Gifts and entertainment are obvious examples, whether it is a case of a head of procurement being paid to fly around the world to attend a prestigious sporting event by a supplier trying to sell them services, or a local councillor accepting a bottle of champagne from a company and subsequently sitting on a panel deciding whether to award them work. Or it could be an individual holding shares or having another financial interest in a client, supplier or competitor.
Other types of conflict occur between the interests of different clients. This is a particular problem for law firms, which are prohibited by the Solicitors Regulation Authority from acting for a client whose interests
Conflict resolution?While it might seem obvious that an MP should not accept cash from lobbyists to ask questions in Parliament, some conflicts of interest can be hard to spot and depend on an individual’s role as well as the sector they work in. So how can internal audit help firms to be on guard?
25
Conflicts of interest might involve a clash between an employee’s personal interests and those of their employer’s customer or stakeholder.{ }
Conflict resolution?
26
{ }An end to direct assistanceIAs need to be aware of a recent change to Financial Reporting Council standards for external auditors that will affect how the two sets of auditors can work together. “Direct assistance” – where external auditors take IAs into their audit team for a period of time – will now be prohibited.
It’s a move that has been taken precisely to avoid “conflicts of interest and a lack of independence”, explains Melanie McLaren, executive director of codes and standards at the FRC. “Clearly an internal auditor who is
employed by a company has a financial interest in it.”
External auditors will still be able to rely on the work of IAs provided that it has been scoped and managed by the internal audit function and that the external auditor is satisfied that it has been approached objectively and appropriately reviewed.
There is, of course, an ongoing debate at European level over the possible compulsory rotation of external auditors and restrictions on the consultancy services that they can provide. In the UK, the
FRC doesn’t support mandatory rotation, but changed the corporate governance code last autumn to stipulate (on a “comply-or-explain” basis) mandatory retendering of external audit contracts every ten years by FTSE 350 companies. “Our view is that investors deserve the best quality audit,” says McLaren. “In some parts of the market there isn’t a large number of firms capable of carrying out a sufficiently high-quality external audit,
largely because of the global reach or sectoral expertise needed.”
In terms of firms’ consultancy work, McLaren says the FRC isn’t
in favour of a cap on so-called audit-related services. “We think it would be better to say that there are certain services that can’t be provided (such as advocacy) and then place a requirement on audit committees to satisfy themselves in terms of independence, objectivity threats and safeguards on the other work.”
their own ethical codes and systems of regulatory oversight.
But legal problems are not the only danger from conflicts of interest – there’s also the risk of reputational damage. Angela Robertson, general counsel at Eversheds, notes: “If a law firm takes on a piece of work for a client and a conflict of interest is subsequently identified, it could severely damage or even kill that client relationship.
In some sectors – particularly those where clients are sensitive around conflict issues – it could have repercussions across the industry, because word would get out to others. Obviously there’s a risk of adverse publicity, particularly in the legal press.”
Reducing the risksHow can organisations reduce the risk of conflicts of interest occurring? The starting point is for all conflicts or potential conflicts to be declared or identified so they can be managed appropriately. At Wokingham Borough Council all councillors and senior managers are asked to complete a declaration of any known conflicts of interest annually.
“But this is only as effective as the training and understanding that goes with it,” explains Muir Laurie CMIIA, director of business assurance and democratic services and head of internal audit at the council.
“Issues for councils are typically around property and procurement for officers and planning for council members”
clash with those of another client or of the firm itself. As a result, many now have teams dedicated to detecting potential issues.
Concerns over a lack of independence can also be a problem for external auditors. In May, the FRC – which sets ethical standards to ensure their objectivity and impartiality – published its annual report into audit quality inspections. While it highlighted an improvement in the overall quality of external audit work, it also found that firms should reassess the adequacy of their independence and ethics procedures and the training they provide to staff at all levels. In one case, a former executive of an audited organisation rejoined its audit firm as a partner, but failed to dispose of a shareholding in the organisation for several months, in breach of ethical standards.
Whatever the nature of conflicts, there can be regulatory consequences for failing to manage them appropriately. Company boards have a statutory duty under the Companies Act 2006 to avoid conflicts of interest, while the UK corporate governance and stewardship codes (overseen by the FRC) place a range of requirements on boards and investors for handling independence and potential conflicts on a “comply-or-explain basis”. The Bribery Act 2010 has increased scrutiny over employees accepting gifts and entertainment. The professions also have
“I think some internal audit teams think that getting 100 per cent completion of those forms is all you need to do. But that doesn’t mean there aren’t conflicts of interest – managers may be unaware of them or knowingly leave them off forms because it might ruin relationships they have with contractors.”
Issues for councils in general are typically around property and procurement for officers and planning for council members. Laurie says that Wokingham runs governance training sessions for newly elected councillors. “If a council member is sitting on the planning committee hearing a planning application from one of their neighbours wanting to build a conservatory in their back garden, should they declare it? They should – and that’s the kind of practical example we try to give.”
In the legal sector, a lot of conflict management relies on processes and technology, explains Robertson. As well as being responsible for conflict management at Eversheds, she previously set up the global conflicts team at Clifford Chance after it had undergone two mergers. “Every single piece of new work for a client, whether new or existing, had to go through the central conflicts team to identify whether there were any legal or commercial conflicts of interest,” she explains.
27
}
USEFUL rESoUrcES• oEcD guidelines for managing
conflicts of interest in the public sector: http://bit.ly/15B4Yot• FSA paper on conflicts of interest between asset managers and their customers: http://bit.ly/13lfboW• Hargreaves Lansdown conflicts of interest policy: www.hl.co.uk/conflicts• 3M conflicts of interest policy (US): http://bit.ly/11YFsLy• companies Act 2006 – a director’s duty to avoid conflicts of interest (Pinsent Masons): http://bit.ly/18ojTxw
A law firm needs a good conflicts database containing details of all its current and historic clients and cases, she adds. “You need to be able to identify what work you’ve done for which client over a period of time. You’ve also got to have a good, clear process that everybody is aware of, so that you don’t start acting on a piece of work for a client until you’ve checked with the conflicts team, assuming you have one.” But lawyers must also be trained to understand the importance of giving the correct information to the conflicts team, she adds. “A conflicts system relies on people using it properly and inputting the right information.”
Getting the right culture and governance framework is also an important issue for asset managers – and reflects the FCA’s focus on consumer protection, believes Amanda Rowland, the partner who heads up PwC’s asset management regulation team.
“If senior management are getting the right information and are fully engaged, and the culture is right within the firm, all of these issues – whether conflicts or anything else that affects consumers and products – will be handled better,” she says.
While she believes that “most firms would say that they were managing conflicts of interest in a way that they felt was
appropriate”, the regulatory expectation has shifted and “the level of attention from the regulator has clearly concentrated minds”. Since then, firms have been looking at their written policies and procedures and ensuring they have appropriate control mechanisms for declaring, registering or managing conflicts.
But there are still grey areas – particularly relating to concerns raised by the FCA over the way asset managers buy research and trade execution services on behalf of clients. “Clearly there’s the potential for conflicts. The question is what’s the best way to deal with that, while at the same time leaving asset managers with access to the best quality research that enables them to make the best decision for their funds and provide the best service for their customers.” The matter is the subject of an ongoing discussion between the regulator and the industry, she adds.
So what’s the role for IAs in terms of managing conflicts of interest? “As part of our internal audit plan, we’ll carry out a review of declarations of interest for officers and members, says Laurie. “We don’t look just at the completion rate, but whether they are consistent with our cumulative audit knowledge and experience. If they aren’t, we can flag it up.” It’s also important for a head of internal audit to lead by example and be very transparent about any perceived or actual conflicts of interest that they face themselves, he adds.
“Whatever the nature of conflicts,there can be regulatory consequences for failing to manage them appropriately”
28 Words: Nick Waldron
Good call?For the past decade hotlines have been the indispensible favourite form of early warning system for companies in all sectors anxious to spot the first signs of all types of wrong doing. Not only is a hotline a universal talisman against evil, it pleases the regulators and impresses investors. But do they really work? Probably not, if no one ever calls them. So when are they effective and what can you do to ensure they live up to companies’ great expectations?
The corporate collapses of the late 1990s and early 2000s led to a proliferation of internal hotlines for reporting wrong doing. Companies worried about similar catastrophes saw hotlines as an early warning system that would enable them to address problems internally before they grew out of control and were exposed externally. Hotlines are cheap to install, are considered best practice and are even mandated by legislation for particular types of business operating in certain countries.
The success of hotlines at detecting fraud is widely reported. In its 2010 Report to the Nations on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners found that: “Hotlines were the control with the greatest associated reduction in median [dollar] loss, reinforcing their value as an effective anti-fraud measure.” Hotlines also have the support of some business heavyweights. In one of his chairman’s letters for Berkshire Hathaway Warren Buffet stated: “Berkshire would be more valuable today if I had put in a whistleblower line decades ago.”
So, if hotlines are cheap, effective, recommended as best practice and
sometimes mandatory, their implementation is presumably a no brainer? Well, not quite. There is some disquiet in organisations that have implemented hotlines. A post on the IIA’s discussion forum by “Guvnor Hans” stated that his organisation’s whistleblowing policy had been running for two years and had not had a single response. He posed the rhetorical question: “Does this mean that everything is OK inside the organisation, or that the scheme to prompt people to report wrong doing has failed?”
The ensuing thread indicated that other auditors had similar experiences with their organisations’ hotlines. Is it conceivable, then, that the hotline is not always the cheap, effective wonder drug it seems, despite being prescribed widely to fight wrong doing in all its various forms on all fronts since the beginning of the century? The success of hotlines at detecting fraud in large organisations is borne up by the statistics, but are hotlines effective at detecting or deterring other types of wrong doing in other types of organisation in other countries and cultures?
This question prompted us to try to determine the effectiveness of whistleblowing
hotlines in detecting and deterring various types of wrong doing across a range of organisation types, sizes and sectors in different countries and cultures. We conducted an internet survey from May to September 2012, which received 137 usable responses (some of which were followed up with interviews). Of these responses, 87 had some form of whistleblowing hotline in place, although use varied in different organisations.
The first problem to overcome when assessing the effectiveness of a hotline is
29
what to use as a measure of effectiveness. In order to determine both the metrics against which to measure and the targets to aim for within those metrics, hotline operators need first to establish what they are hoping to achieve in setting up a hotline. If, as 18 per cent of survey respondents indicated, the aim is to meet a regulatory requirement, the mere presence of a hotline achieves the objective. The risk is that hotline implementation becomes an end in itself.
One interviewee cynically suggested that
his employer had set up a hotline, but had then failed to man it in order to avoid detecting wrong doing – channelling complaints into a black hole. This view was echoed by PriceWaterhouseCoopers’ 2011 report Corruption and Conflict of Interest in the European Institutions: The Effectiveness of Whistleblowers which stated: “It appears… that the EU institutions are looking to avoid negative news rather than intrinsically seeking to promote correct and transparent culture.”
Diligent hotline operators are likely to require more from the hotline than its mere presence. They might expect, for example, an increase in the detection of wrong doing or a decrease in wrong doing itself. They then need to measure the achievement of such objectives. One obvious measure of effectiveness is numbers of reported incidents. These figures are used in, for example, reporting hotlines’ success in detecting fraud. However, used in isolation, incident numbers may not be an appropriate measure of effectiveness. For a start, numbers of reported incidents are often too low to demonstrate quantifiable improvements in control. The survey showed that during 2011, 52 per cent of respondents received ten or fewer calls. Small numbers of reported incidents may hamper meaningful trend analysis, but do not necessarily indicate that a hotline is ineffective. In its Whistleblowing Code of Practice, the British Standards Institution argues that “one single, well-founded concern can more than justify the modest expense that whistleblowing arrangements incur”.
Moreover, some reported incidents may be frivolous calls or calls that cannot be substantiated with evidence, particularly when hotlines accept anonymous calls (92 per cent of surveyed hotlines). One survey respondent stated: “Most of the reported incidents turn out to be unsubstantiated and many of the anonymous allegations are malicious or vexatious.” The survey found that hotlines accepting anonymous calls receive more calls than those that don’t. However, 23 per cent of respondents indicated that only ten per cent or fewer of the calls they received offered evidence of actual wrong doing. The remaining 90 per cent are what Miceli, Near and Dworkin refer to as “noise” in their study Whistleblowing in Organizations.
Furthermore, a simple rise in the number of reported incidents may not be a good
One interviewee
cynically suggested
that his employer
had set up a hotline and then failed
to man it to avoid
detecting wrong doing
30
indicator of a hotline’s
effectiveness. If the hotline’s objective is
ultimately to deter would-be wrongdoers,
the hotline operator might hope for an initial rise in
reported incidents as potential whistleblowers gain the confidence to take the plunge, followed by a decrease as would-be wrongdoers realise they might be punished. This ideal trend was observed by only between one and eight per cent of respondents – for personnel-related incidents and security/confidentiality-related incidents respectively.
As the ideal trend was observed only rarely, the research used any increase in the amount of detected wrong doing, together with the opinions of respondents, as measures of effectiveness. The results were analysed by geographical region, by organisation size and by organisation type (charts 1 and 2).
The first indicated that survey respondents across all geographical regions have largely positive impressions of the effectiveness of their hotlines. Interestingly, respondents from regions where whistleblowing is well established and supported by comprehensive legislation
(Australasia, North America and the UK and Ireland) were less positive than those from other regions, possibly because of longer experience, or as a result of resistance to wider ranging legal requirements in those regions. In this analysis the largest increase in the detection of wrong doing was in fraud. However, in 33 per cent to 54 per cent of responses (depending on region), there was no increase in fraud detection. When it came to
other types of wrong doing even more
respondents said they saw no increase in detection.
Analysis by type of organisation
also showed that positive
impressions of hotline effectiveness are more
widespread than increases in the detection of wrong doing. It is interesting to note the relative opinions of the effectiveness across different organisation types. International organisations have a 100 per cent positive perception of their hotlines’ effectiveness (albeit for a small response population), possibly because of more recent implementation. Not-for-profit organisations have the second highest perception as well as the highest increase in the value of detected fraud – the two findings
may be linked. Respondents from government have a slightly more negative opinion of the effectiveness of their hotlines than those in other sectors, possibly because hotlines have been imposed on them.
Analysis by organisation size shows that perceptions of a hotline’s effectiveness are generally higher than actual increases in detected wrong doing. The exception to this is in the largest organisations, where increases in detection rates are significantly higher. There is almost no increase in detected wrong doing following hotline implementation in organisations of 101-1,000 employees, where opinions of effectiveness are also lowest. Apart from fewer employees reporting fewer incidents, it may be that the intimacy of a small organisation increases the risk of confidentiality breaches, or leads to lenient sanctions so people believe reporting is risky and not worthwhile. A more positive interpretation is that team spirit in small organisations leads to less wrong doing. Either way, for the small organisations surveyed, hotlines were ineffective at
increasing detection of wrong doing.
Overall, positive opinions of the effectiveness of hotlines range between 70 per cent and 100 per cent, whereas increases in the detection of wrong doing generally range from zero to 60 per cent. So survey respondents have a more positive impression of the effectiveness of their hotlines than is borne out by detection rates. Some survey respondents indicated that their hotline was implemented to meet their corporate responsibility requirements and that effectiveness need not
necessarily be determined by an increase in the detection of wrong doing. Others felt that a lack of calls indicated ineffectiveness. One respondent stated: “There has been no measurable difference in wrong doing being reported or uncovered since the hotline has been introduced.”
In terms of increased detection or deterrence, the small numbers of valid calls make it difficult to quantify hotline effectiveness
in all but the largest organisations. In its “Good
Practice Guide on Speak Up Procedures” the Institute of
Business Ethics says that,
Confidence in hotlines can quickly
crash if users have bad
experiences
without comprehensive records, it is impossible to measure the effectiveness of whistleblowing mechanisms. This leaves hotline operators with a dilemma – best practice is to keep records to measure effectiveness, but they have very few cases on which to hold data. This brings us back to how we know if the hotline is working when no one calls it?
Various data can be gathered by operators to measure a hotline’s effectiveness. Where incidents have been reported, they should retain detailed records of the validity of the report, the response and resolution time and the outcome (eg, sanctions, policy change, internal control improvements). Arguably more useful than this quantifiable information, is the opinion of the whistleblower (although this might not be possible if the caller is anonymous). Was their case handled fairly and in good time? Was the outcome reasonable? Was confidentiality respected? Were they kept informed? Did they suffer retaliation?
The success of a hotline depends on whistleblowers coming forward. It can take a long time to build confidence to report and this can crash quickly if users have bad experiences. Without
user confidence, the hotline is dead and without comprehensive records the operator may not know it is dead.
Measuring hotline effectiveness need not, however, be limited to data on reported incidents. Staff surveys can gauge opinion of hotlines. Questions should not be restricted to “are you aware
of the hotline?”, but should ask “would you report wrong doing that you witnessed?”,
and “if not, why not?” You could
benchmark against similar organisations’
hotlines using reports such as the 2010 Corporate Governance and Compliance Benchmarking Report by BDO Consulting and The Network to measure your hotline’s relative effectiveness. To measure the effectiveness of the hotline as a deterrent, you need comparisons of before and after data related to the consequences of wrong doing (eg theft data, costs of legal cases or information leaks).
Credibility is crucial. An ineffective hotline that is seen as window-dressing can increase staff cynicism towards management and is likely to damage rather than help the fight against wrong doing. It is vital that hotline operators are clear about what they want to achieve, and then actively monitor (by recording and analysing detailed records) the achievement of their objectives. It may be complicated to measure effectiveness, but without constant monitoring,
measurement and adjustment, the hotline is doomed to fail.Nick Waldron CMIIA is internal auditor at the European Space Agency headquarters in Paris. 31
1. Respondents who see hotlines as effective – by organisation size
GovernmentInternational organisationPrivate companyPLCNot for profit
Measuring hotline
effectiveness need not be
limited to data on reported
incidents
% o
f to
tal re
spo
nse
s
2. Respondents who see hotlines as effective – by organisation type
% o
f to
tal re
spo
nse
s
FOR MORE INFORMATION
To read full versions of the tables shown above visit www.auditandrisk.org.uk
staff
100
80
60
40
20
0
100
80
60
40
20
0
100-1,000
1,001-10,000
10,001-100,000
>100,0001-100
75% 76%80%
100%
71%
100%
75% 78%
86%
69%
How to measure a hotline’s effectiveness• Decide on the purpose of your hotline. What type of wrong doing may be reported? Does it accept anonymous calls?• Set your objectives and determine how to measure them.• Set realistic, tangible targets.• Keep comprehensive records.• Measure what you can through hotline statistics on reported incidents.• Where possible, obtain detailed feedback from whistleblowers.• Conduct confidential staff surveys to determine staff opinion of the hotline.• Benchmark against similar organisations.• Conduct before and after comparisons of data related to wrong doing (eg financial loss through fraud).
“There is almost no increase in detected wrong doing following hotline implementation in organisations of 101-1,000 employees.”{ }
32
We are currently in a period where businesses need to take risks to grow, yet have a low tolerance of failure. The role of internal audit has, arguably, never been so important, yet the cost of internal audit is becoming ever more visible – and this means it can be challenged. So internal auditors need to demonstrate the value delivered by their function.
Researchers from KPMG, at the IIA Scotland conference in November, asked representatives from some of Scotland’s biggest companies: “Can you measure the
value delivered by your internal audit function?” This research was supported by a series of workshops that added qualitative value. It identified three key challenges: strategic; measurement;
personal/ personnel.The strategic challenge: surprisingly,
one of the main challenges facing internal audit is a lack of clarity around
its strategy and remit. Nearly a quarter of those polled were either unaware of, or did not have, an internal audit strategy. You need a clear remit and strategic positioning of the function to know what to measure. The problem is exacerbated by a range of reporting lines for the chief audit executive.
Paradoxically, almost all respondents had performance incentives that included measurement criteria. So performance measurement is part of the culture and, therefore, we need to shift the focus to the links between performance and the internal audit
strategy. The simple step of engaging with the audit committee and executive management to define their needs and requirements should help to inform future work.The measurement challenge: how to measure added value is a crucial question and is generally seen as the most difficult part of the process. Measuring internal efficiency and productivity is now more common. The research suggests that 96 per cent of private sector and more than 80 per cent of public sector organisations measure department performance. In these cases more than 40 per cent provide the performance statistics in their reports to audit committees.
However only 20 per cent of respondents measure value-driven items such as savings, fraud prevention and identifying control weaknesses. So measuring results is more difficult and much less prevalent than measuring activity.The personal/personnel challenge: does the measurement challenge indicate a personnel challenge? Responses showed a clear link between internal audit performance objectives and those of internal auditors (in almost all cases around 95 per cent). Equally, they showed no link between cost savings, value adding and the personal objectives of internal auditors. This may be a chicken and egg dilemma and further indicates the lack of definition described above.
Respondents also indicated that further work is needed to establish the right IA
resource quality and mix. More than 30 per cent said they need greater depth of functional resources.
Most people agree that it is desirable to demonstrate the value of internal audit. So what can the profession do to show the value it adds and share experiences as a profession and functional activity? The research pointed to four areas:1. A clear remit: make visible and be clear about internal audit’s responsibilities and what it will, and will not, undertake and assure.2. Improve quality and maximise the internal audit report communication. Link reports to the organisation’s strategy, objectives and values. Make them relevant to the organisation and ask recipients what they want. 3. Commission independent, interview-led feedback. Getting feedback from areas being audited can result in a conflict of interest. It is more valuable when obtained in an independent interview. 4. Identify a Top Ten set of common measurement criteria to form a “dashboard” of internal audit delivery. This should audit progress against the IA plan, give quarterly updates of high-risk audit areas, benchmark similar processes across the organisation and get feedback on any inconsistencies.
It’s easy enough to see how much internal audit costs, but can you improve the way you demonstrate the value that your organisation gets in return? Scott Wallace finds some pointers in the results of new research by KPMG in Scotland.
Scott Wallace is director for internal audit, KPMG, in Scotland.
Quantifying quality
Tools for the job
33
Career development
In the beginning
The importance of a strong internal audit function is not always obvious to managers or employees. Some see it as an overhead or a source of
awkward questions that hinders operations. So first you need to understand what drove the decision to establish the function. Did the board have no option (is it a regulatory requirement)? Did shareholders or a parent company demand it or external auditors recommend it? Did the board want an internal audit function? Did something happen which made it impossible not to have internal audit? You then need to consider the corporate structure of the organisation and plan how to introduce an audit function with the best possible standards.
These questions enable the head of a new internal audit function to put their position in a wider context. The answers should indicate the priorities of the board and ensure that your audit plan covers the key issues. They might also identify areas where internal audit needs to win trust.
Ask how the board and management see the role of internal audit. If they want the function to fulfil static objectives, such as generic balance sheet or income statement reviews, it might be difficult to develop a wider role. This can also be a problem if the function is set up in reaction to an incident.
Your first audit plan will probably address the key concerns of the board. It
may or may not be linked specifically to the organisation’s risk register, but it will be geared to the areas where the board needs short-term assurance. At this stage the function will probably have limited resources and may have enough work completing even a simple plan.
When you start to develop the role, you need to know the organisation’s position on risk management. An open-minded attitude should enable you to align the audit plan with the organisation’s strategic objectives. Risks can be incorporated as they are identified.
Informal approaches to risk management make this more difficult. Inherent risk may be inadequately documented and information can be trapped in management silos. Managers might believe they are managing risk, but these risks may be historic, generic or function- specific and may ignore support departments where the impact of incidents is not immediately apparent.
Managers may not agree which risks need to be addressed. If so, you will have to learn more about the organisation and find the best way to discuss it. Putting the work in now should help to identify non-assurance areas where internal audit can add value, and conversations, questions and suggestions may open management’s eyes to more risks.
You may need to make difficult choices about audit scope. If regulators demand particular reviews, you may have little time for other areas. If the board merely wants reassurance about the numbers, it might restrict audits to
balance sheet and income statement reviews. Alternatively, the board may want a comprehensive plan without providing resources. If so, you must explain the implications and manage expectations.
Delivering results is central to demonstrating the value of internal audit. Use early reports to identify new areas of work and show management that you can do more than what they initially wanted.Discuss issues to ensure that all parties are clear about what reports mean. Grading findings will be a hot topic, particularly if managers are new to audit, or used to getting low grade issues.
Negotiating the wording of findings and grades can be difficult, but it helps you to focus on what is important. If managers or staff fear recriminations, they will resist. You need to work with the board, managers and staff to allay fears. A board that accepts and delegates responsibility for issues makes it easier for internal audit to be a partner, not an agency of blame.
You cannot change a blame culture overnight, but you can stress that your concern is rectifying problems and
enhancing controls. Building trust improves information flows, makes
audits more efficient and encourages staff to raise issues.
It takes time to embed a function. If you understand your business and deliver a quality product, you will create opportunities
for internal audit to add real value.
Ross Boreland CMIIA is assistant manager,
enterprise risk services, Deloitte, Dublin. The IIA recently issued guidance on setting up an IA function at www.iia.org.uk/setupnewIA
What factors should you consider when establishing and embedding a new internal audit function? What challenges will you encounter, and what opportunities might arise? Ross Boreland CMIIA offers some advice.
34
Q. I am looking for advice about conflicts of interest. I have recently moved into an audit role from an operational role and want to clarify what would be a reasonable length of time before I can audit the area where I worked? A. Ideally I would steer clear of auditing an area where you previously had responsibility. You may feel objective, but this may not be the view of your former colleagues and that may make it hard to agree conclusions and recommendations. If you have no option it’s generally thought that a one-year lapse is needed.
Practice advisory 1130.A1-1 states: “Persons transferred to, or temporarily engaged by, the internal audit activity should not be assigned to audit those activities they previously performed or for which they had management responsibility until at least one year has elapsed. Such assignments are presumed to impair objectivity, and additional consideration should be exercised when supervising the engagement work and communicating engagement results.”
Q. I am looking for guidance on creating and maintaining good working papers.A. The format of working papers is less important than the content. The key aspect is to record relevant information such as your objectives, work programme, results of interviews, the extent of testing and the results from testing. All of these show how you have formulated your conclusions and your opinions. The international standards do not prescribe the format as such, but
emphasise that, if challenged, you should feel confident and able to provide sufficient evidence to support your views and recommendations.
Thinking about the way your working papers link together and how much time it takes to complete them will help you to improve operations (efficiency), but this is secondary to providing reliable assurance
(effectiveness). Lastly, working papers are the property of the organisation,
so the head of internal audit needs to control access, develop retention requirements and
obtain appropriate authority for their release. This will involve designing and implementing policies and procedures.
Q. Can you advise me on what is best practice for the approval of a purchase requisition and subsequent purchase order? Does finance have a value-added role to play in this or should they allow budget holders to control spend?A. I’m not sure there is such a thing as best practice any more, just a wide range of differing practice as organisations redesign procedures to take advantage of new technology and work to reduce costs. For example, I know one organisation that has removed requisitions altogether and automatically pays invoices if they match
the purchase order amount. They take the view that cost savings in time and staff reductions significantly outweigh the risk of errors and fraud.
Some finance departments adopt a monitoring and control role as well as a processing role. This involves checking certain things are correct, eg, coding, use of preferred suppliers or competitive quotations. You could call that added value, but it comes at a cost. The alternative is to push some of those responsibilities on to management to spread the load or to develop new tools.
My advice is to encourage a risk assessment of the purchasing process from start to finish with review of required responses. If that has been done, you could assess how effective that is and verify that controls are working. This will give an all-round view of risk management rather than looking at things on a control by control basis.
Q. Is it compulsory for all UK listed companies to have an IA function?A. There is no mandatory requirement for listed companies to have an internal audit function, but it should be something that audit committees consider on an annual basis. Absence of an internal audit function should be explained in the annual report.
You asked us
Our technical helpline provides valuable advice to members on a host of professional issues. Here are some of the questions you’ve submitted recently.
Q&A
“Ideally, I would steer clear of auditing an area where you previously had responsibility.”
35
The following three documents and extracts provide more information and may be of interest.1. “Guidance for audit committees, the internal audit function”, ICAEW, March 2004: Whether to have an internal audit function. Having an internal audit function is not mandatory for listed companies, although it is for certain public sector organisations.
Therefore the board of a smaller listed company may decide that it already gains sufficient assurance on risk, control and governance from other assurance activities within the organisation, for example, directly from regular management information and self-monitoring, from other assurance functions such as security or health and safety or from its external auditors. In short, a company may conduct internal audit activities even though there is no internal audit function.
2. “Guidance on Audit Committees 2010”, Financial Reporting Council, page 11 4.10/4.11: The audit committee should monitor and review the effectiveness of the company’s internal audit function. Where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the
board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report.
The need for an internal audit function will vary depending on company specific factors including the scale, diversity and complexity of the company’s activities and the number of employees, as well as cost/benefit considerations. Senior management and the board may desire objective assurance and advice on risk and control. An adequately resourced internal audit function (or its equivalent where, for example, a third party is contracted to perform some or all of the work concerned) may provide such assurance and advice. There may be other functions within the company that also provide assurance and advice covering specialist areas such as health and safety, regulatory and legal compliance and environmental issues.3. “UK Corporate Governance Code 2010”, Financial Reporting Council, page 32: In addition to the “comply or explain” requirement in the listing rules, the code includes specific requirements for disclosure which must be provided in order to comply including:
The annual report should include where there is no internal audit function, the reasons for the absence of such a function (C.3.5).
Q. Our external auditors have advised our internal auditor, which is a small one-person external consultancy practice providing internal audit services, that an external assessment is required to evaluate the quality of the internal audit service provided. This is to accord with the requirements of the International Standards for Professional Practice of Internal Auditing (Standards).
My reading of paragraph 1312 –external assessments – of the said standards is that external assessments apply to in-house provision and not to external providers. In addition,
paragraph 2070 suggests to me that the review carried out in–house to ensure that governance arrangements are effective, which includes internal audit, would negate the need for an external assessment to be done on an external internal audit service provider.A. Our standards are written as a general set of principles that can be applied by in-house and external providers of internal audit. In other words, all of the standards, including the ones on quality, apply to all forms of delivery. This means external providers need to have five-yearly assessments. I have done some of these as part of the EQA service the institute now offers.
Standard 2070 was added in 2011. Its purpose is to emphasise that the organisation is ultimately responsible for the effectiveness and quality of its internal audit service when the service is outsourced. An organisation cannot put the blame on the provider if part or all of the service does not live up to expectations – 2070 puts the onus on management to do something about it. This increases rather than negates the need for an EQA where an external provider of internal audit occurs.
We recognise that it may be difficult to apply all the standards in small or one-person internal audit activities so our global body has issued some guidance on how to apply the standard in such circumstances called “Assisting small internal audit activities in implementing the International Standards for the Professional Practice of internal audit”. This can be accessed at http://bit.ly/12raWv4.
This guidance recognises that cost may be an issue and advocates peer review as a cost-effective option. The problem for you is that a firm may be reluctant to have a competitor carry out its EQA, which is why we now offer a service.
GOT A QUeSTIOn? Contact Chris Baker on the IIA technical helpline on 0845 883 4739 or email [email protected]
“I know one organisation that has removed requisitions and automatically pays invoices if they match the purchase order amount”
36
We round up the latest business and regulatory news to affect the internal audit profession.UPDATE
AdditionAl news, feAtures And views are posted online all the time. Go to www.auditandrisk.org.uk to see what’s new.
Heads of internal audit rubbed shoulders with high-profile business leaders and senior figures from other professional bodies at the institute’s annual dinner on 20 June. The event took place in the beautiful surroundings of the Guildhall in London.
One highlight was a thought-provoking speech by Douglas Flint, group chairman of HSBC Holdings, which was particularly timely given the challenges and regulatory changes currently affecting the banking industry.
No annual dinner would be complete without prizes to recognise outstanding
achievement by members and students. This year Phil Tarling CFIIA was awarded the JJ Morris Award For Distinguished Service, while Helen Higgs CMIIA and Iain Burns CMIIA both accepted Special Awards 2013.
Achievements in IIA exams were celebrated with prizes for top performing students. The Peter Hook Prize 2012 was awarded to Alexis Stirling CMIIA and Joanne Clewes won the Charles Duly Prize 2012.
Interviews with the prize winners and photographs of the event can be found on the Audit and Risk website at auditandrisk.org.uk.
IIA awards celebrate best and brightest
london conference 2014
The Chartered Institute of Internal Auditors will host the IIA international conference in 2014. The IIA Global international conference committee chose London partly because of the success of the IIA’s own national conference.
The conference is the largest annual gathering of internal auditors. More than 2,000 delegates from 100 countries across the world will gather to hear international speakers, educators and professionals discuss a range of topics designed to enhance their knowledge and share best practice. Delegates will benefit from learning about the global audit experiences of recognised practitioners as well as expanding their professional
network. They will also be able to visit a huge exhibition and enjoy a gala evening.
Although 2014 still seems some time away, the institute has started planning for the conference and will need your support. Visit www.iia.org.uk for regular updates and follow the IIA on Facebook, LinkedIn and Twitter for news and exclusive offers.for More inforMAtionif you are interested in speaking at the event, nominating someone you know or volunteering your time, contact Ann Cantillon at [email protected]
Calling all HiAs – IIA launches its first annual survey of internal audit In July we will be launching the IIA’s first ever annual survey of internal audit. We will be asking all heads of internal audit to tell us more about the profession. We need your input so that we can understand and analyse the profession’s strengths and development needs. This will help us to communicate to regulators, legislators and the media, as well as your audit committee chairs and chief executives, more about the value and importance of internal audit.
Watch out for our online survey, which will be available on our website and e-mailed to you soon. The results will be posted online later this year.
face-to-face learningThe IIA is planning a pilot face-to-face learning programme for the IIA Advanced Diploma to be delivered in London. Students will receive all the relevant study materials, including the institute’s texts, learning packs, and a CD-Rom with extra content.
As with the IIA’s distance-learning programme, the focus is on equipping students to be excellent internal auditors. The pilot will run in September and can accept a maximum of 15 students, so if you are interested, you should book early.
Contact the learning office on 020 7819 1939 or email [email protected] for more information.
The IIA will host the largest annual gathering of internal auditors next year.
For details and brochure see [email protected]
Take control of your business processes with ICE
Maintaining an internal control framework that is fit for purpose in these challenging times is imperative. Doing so presents a significant challenge.
ICE helps organisations design, document, monitor, report, and continuously improve their internal control environment.
Rigorous, Insightful, Objective, Expert, EfficientThat’s what you want to be as internal auditors. It’s whatyour board and management expect you to be.
Your annual effectiveness self-assessment needs to bejust the same.
And Thinking Board – our web-based self-assessment servicegives you this – and more.
Thinking Board draws on Independent Audit’s expertise inconducting external reviews of internal audit. It’s easy to use,helping you gather feedback from a wide range of peopleacross the organisation. Its imaginative questions andquestion design tells you more than you’d expect. And cleverautomated reports allow easy analysis and ready insight.
If you’d like to find out more about Thinking Boardor to arrange a demonstration, please contact:
[email protected] [email protected]+44(0)20 7220 6584 +44(0)20 7220 6545
Independent Audit Limited, 4 Bury Street, London EC3A 5AW
A service from
IA TB Half page ad Jan 4/12/12 15:21 Page 1
IIA halfH ad Template.indd 1 20/06/2013 12:39
Events
July
10HIAS forum – security for your businessLondon
10-11IIA Award in the internal audit planning and assurance frameworkLondon
16-17Heads of internal audit – induction master classYork
17Audit report writingLondon
17-18IIA award in corporate governance and risk managementLondon
18-19Auditing projects, project management and project riskLondon
September
3Ultimate persuasion techniquesLondon
4-5A practical guide to evaluating risks and controlsLondon
4-6Cheia – Higher Education Internal Audit ConferenceGLasGow
10HIAS forum – social, economic and political risk – how to focus on key issuesLondon
10-12Internal auditing – a beginner’s coursesurrEY
11-12IIA Annual Conference 2013 – Expect more, harnessing the powerLondon
17The internal auditor’s guide to strategic thinkingLondon
17-18IIA Award in effective delivery of audit and assuranceYork
19-20IIA Award in interpersonal skills for audit and assuranceYork
25-26Techniques for effective testingYork
26Assurance mapping – a practitioner’s workshopLondon
38
For further information or to book, click the “Training and events” tab at www.iia.org.uk, email [email protected] or call 020 7498 0101. IIA regional events and special-interest groups should be booked directly with the organiser using the contact details provided.
IIA training courses &
events
Post your eventIIA regions and special- interest groups may include details of upcoming events. Contact trainingandevents@ iia.org.uk – please state the event title, date, venue and contact details.
The deadline for the september/october issue of audit & risk is 17 July.
Register now!Limited places
available
The IIA offers a comprehensive face-to-face learning programme for IIA Diploma students studying towards the November 2013 exams.
Choose the Institute for your support
s Four days of intensive syllabus-focused tuition
s Bespoke learning texts and workbooks
s Detailed feedback on assignments
s Expert and experienced tutors
2013 Tuition workshops scheduled in London
s P1 The Internal Audit Environment – 09-12 September
s
s
s
s
P2 Financial Risks and Controls – 16-19 September
P3 Internal Audit Practice – 24-27 September
P4 Information Systems Auditing – 02-05 September
P5 Corporate Governance and Risk Management – 16-19 September
Don’t delay - start your journey to become a Chartered Internal Auditor today. Contact IIA Learning: Tel 020 7819 1939 email [email protected] www.iia.org.uk
Our workshops are guaranteed – we
promise never to cancel
IIA face-to-face tuition available for November 2013 exams
40
Publication of the June 2013 question papersThe June 2013 question papers are now available at www.iia.org.uk/pastpapers. Please note that the IT Auditing Certificate paper and the P2 Financial Risks and Controls multiple-choice questions are not published as they contain secure question bank materials.
Release of the June 2013 exam resultsThe results of the latest assessments of the IIA Diploma, IIA Advanced Diploma and IIA IT Auditing Certificate will be dispatched to students on Wednesday 14 August.
Release of the past paper packs and the chief examiners’ reportsThe past paper packs and the chief examiners’ reports from the June exam session will be available from Monday 9 September at www.iia.org.uk/examreports.
Requesting a feedback review of exam resultsThe results, feedback review and appeals policy is available at www.iia.org.uk/students. Students dissatisfied with their exam results should read this information as soon as possible.
You can request either a clerical check of your script or a full review including a clerical check and a report giving feedback on your performance. Options cannot be changed after submission. The first option costs £51 plus VAT and the second option costs £107 plus VAT.
You can apply for a review only via the application form on our website. Submissions must be received at the institute by 5pm on Wednesday 28 August. Review requests may be submitted only by students.
Further information will be supplied with the exam results. You will get your review results
within four weeks of the institute receiving the request and the fee. If a review results in a grade being revised from a fail grade to a pass grade, you will be notified and the review fee will be refunded.
Open University accreditation – opportunities for your CPDThe Open University awards general credit ratings to external bodies to give formal recognition of their qualifications.
Since 2007 the Open University has recognised that the institute’s professional qualifications are postgraduate
level with up to 60 general credit rating points available for each of the IIA Diploma and the IIA Advanced Diploma, and up to 30 points available for the IIA Qualification in Computer Auditing.
Qualified members can use these credit ratings to support an application to study a further qualification at a higher education institution. Members can also take advantage of awards of specific credit towards particular Open University distance-taught qualifications.
For further information on Open University accreditation for IIA qualifications visit www.iia.org.uk/openuniversity.
Student noticeboard
Student noticeboardEssential information for exam candidates. Visit the Student information centre at www.iia.org.uk for updates.
November 2013 exams Exams will be held from Monday 25 November to Thursday 28 November.
Module NoveMber 2013 TiMe
iiA diploMA
p1 – The internal Audit environment Monday 25 9.30am to 12.40pm
p2 – Financial risks and Controls Tuesday 26 2pm to 5.10pm
p3 – internal Audit practice Tuesday 26 9.30am to 12.40pm
p4 – information Systems Auditing Wednesday 27 9.30am to 12.40pm
p5 – Corporate Governance and risk Management Thursday 28 9.30am to 12.40pm
p7 – internal Audit practice Case Study Thursday 28 2pm to 5.10pm
iiA AdvANCed diploMA
M1 – Strategic Management Monday 25 2pm to 5.10pm
M2 – Financial Management Tuesday 26 2pm to 5.10pm
M3 – risk Assurance and Audit Management Wednesday 27 2pm to 5.10pm
M4 – Advanced internal Auditing Case Study Thursday 28 2pm to 5.10pm
iiA iT AudiTiNG CerTiFiCATe
A1 – iT Auditing Certificate Multiple-Choice Questions Monday 25 9.30am to 11.30am
global brand boutique offering
Randstad Financial & Professional, formerly Martin Ward Anderson, now has a specialist corporate governance division covering:
• internal audit• internal controls• risk management• IT audit • SOX
our approachEach client is unique so we tailor our approach to each role. We have experience in providing a number of recruitment solutions including:
• headhunting• professional referrals• retained campaigns• multi vacancy campaigns• contingent recruitment • international campaigns
our candidatesOur network includes IIA members, newly qualifi ed chartered accountants, multilingual and high-level internal audit directors.
services available to you We also offer industry information for both clients and candidates:
• recruitment reviews & market insights • global interviewing facilities• interview advice• CV writing
get in touchWhether seeking your next role, or hiring for a niche skill set please contact our corporate governance experts, quoting reference ‘IIA’.
T: +44 (0) 207 786 6563E: [email protected]: www.randstadfp.com
Randstad_Audit.indd 1 21/02/2013 09:41:35IIA FP ad Template.indd 1 21/02/2013 10:19
The Mayor’s Office for Policing and Crime (MOPAC) discharges a broad range of statutory duties and is directly accountable to the Mayor and Deputy Mayor for Policing and Crime in delivering their agenda for London. It is dedicated to building a professional, highly skilled workforce that will assist in delivering the Police and Crime Plan for London.
You will be joining the MOPAC Directorate of Audit, Risk and Assurance, a well-respected unit that has the interesting and challenging job of providing the internal audit service for the MOPAC and Metropolitan Police Service (MPS), and under a shared service arrangement, the London Fire Brigade and the Greater London Authority.
As one of three Heads of Audit and Assurance, reporting to the Director, you will develop audit strategies to; help address key strategic risks associated with change, improve the internal control framework and ultimately deliver more efficient services. This offers you a rich variety of challenges and the opportunity to influence change at a senior level across a varied client base. The confidence, integrity and ability to operate at a senior level are essential. This will call for senior management experience in internal audit that includes providing risk and control advice to major change programmes, ICT technical knowledge and a thorough understanding of modern-day internal audit concepts and standards.
You will be qualified to at least CMIIA or CCAB level, and a current member of the appropriate professional body.
As a Risk and Assurance Auditor you will identify key risks, evaluate and test controls and identify areas of improvement, by planning and carrying out programmed audit assignments. A good level of practical internal auditing experience is essential and that will be supported by a recognised qualification (AAT/PIIA) together with membership of the appropriate professional body. You will be someone who has a thorough understanding of risk-based auditing and the personal qualities and credibility to operate effectively as a representative of the MOPAC.
In addition to an attractive salary package, the MOPAC offers a range of benefits including 32.5 days annual leave, interest free travel season ticket loan and a beneficial pension scheme and an emphasis on personal development and training.
To apply please visit www.london.gov.uk/priorities/policing-crime/working-mopac for an application form or call 02071612461/3 for more details. Completed applications should be returned to [email protected]
Completed applications must be returned by 22 July 2013.
The Mayor’s Office for Policing and Crime is an equal opportunities employer.
Head of Audit and Assurance £61,171 - £68,849 Risk and Assurance Auditor £37,029 - £42,491 London SW6
Senior Internal AuditorCompetitive Salary + Benefits • Chatham, Kent At Vanquis Bank we’re very proud of the service we provide to our customers and of the many highly skilled professionals we have working across our business. We’re also proud to be award winners, having received the Credit Card Provider of the Year award for the last four years.
Having now accepted over 1.5 million customers across the UK and with highly ambitious plans for future growth, we are always looking for driven, ambitious and talented team players interested in becoming part of our incredible success story. With the continued expansion of our business, we now have an exciting opportunity for a highly skilled auditor who, as well as working on the UK credit card side of our business is keen to gain experience of our international operation, loans and dealings with suppliers.
Reporting to the Head of Internal Audit, you will ensure there are sufficient controls in operation throughout the bank and that our directors can be confident they are operating effectively and efficiently. This will involve taking assignments (on your own or as team leader) lasting around 4 weeks to check that this is the case. You will also draft and update relevant policies and procedures to improve the control of risk identification, follow up recommendations and carry out ad hoc tests. This isn’t a standard auditor role as you will be working on diverse projects including international, non-credit card and third party supplier activities Most of your time will be spent at Chatham, but you will also travel to our London and Bradford offices, as well as occasionally travelling to our offices abroad and visiting suppliers.
With extensive audit experience in a multi-departmental business supported by full or part PIIA, ACCA or CIMA qualification and other relevant expertise, you will be able to demonstrate the strong analytical skills and attention to detail we seek. You must be able to identify a system and understand why the controls it uses are in place yet still question whether they are as effective and efficient as they can be. Focused, determined and objective, you have to be able to work with minimum supervision, and act with discretion and diplomacy. The ability to express yourself well in speech and writing will help you achieve this, while your good time management and willingness to work extra hours when necessary will ensure you are always on top of your work.
To apply, please send both your CV and a covering note clearly explaining your reasoning for wanting to join Vanquis to: [email protected]
IIA halfH ad Template.indd 1 19/06/2013 12:40
Internal AuditorPermanent: Full time Salary range: £24,958 - £29,373Location: Camberley, Surrey
At Surrey Heath we believe that it is important that we provide excellent value and efficient services to our residents. To help us meet this aspiration we are now seeking a qualified internal auditor to join our small audit team to undertake a wide range of audits across the Council.Ideally we are looking for someone with experience of working in the public sector although this is not essential. More importantly you should be a self-starter, able to understand a variety of systems quickly, be challenging but constructive in your audit work and able to communicate with people at all levels in the Council both verbally and in reports.
You will have:• Audit Qualification (IIA, CIPFA or equivalent)• Experience in risk based internal auditing • Experience of the entire audit process from the scoping and planning of the audit, its execution and assessment leading to the final audit report
A generous benefits package includes; a minimum of 24 days’ annual leave, flexible working, final salary pension scheme, life insurance, CPD training and free parking;
For further information and to apply, please go to our website www.surreyheath.gov.uk.
Closing date: Friday 26th July 2013Interview date: Week commencing 12th August 2013
Surrey Heath Borough Council is committed to equality of opportunity in employment and service delivery and welcomes applications from all sectors of the community.
Peterborough Regional College is seeking a governor with financial, audit or accountancy expertise to join its Governing Body, the Corporation Board and to serve on the Audit Committee.
The Board is responsible for setting the College’s Strategic direction and ensuring that the Collegedelivers excellent outcomes to students and thelocal community. An interest in further and highereducation and a commitment to improving the education and skills of young people and adults isessential. This is an unpaid role but will one whichoffers the opportunity to make an important contribution to a thriving college which is there toserve the local and wider community.
If you are interested in finding out more, pleasecontact Ana Lewis, [email protected] orcall 07543 933772 for further details.
Closing date 31st August 2013.
Raising Aspirations, Realising Potential & Inspiring Success
GOVERNORVACANCY
Achieve a full professional IIA qualification through a postgraduatestudy programme with the Centre for Internal Audit, Governance andRisk Management at Birmingham City Business School.
Students attend our DUAL AWARD programme which offers exceptional value for money, through the provision of focused training which yields proven success and delivers a practical and career enhancing experience.
We offer a unique programme of training which delivers membership of the Chartered Institute of Internal Auditors, subject to completion of the appropriate experience journal, in one of three modes: full time, block release or flexible learning*.
The programme of study provides:- Single assessment for each module using both assignment and examination methods- TeachingthatreflectstheIIAsyllabusatDiplomaandAdvancedDiplomalevels,aswellasaddingvaluethrough‘realworld’
industryandprofessionalexperience- Significantvisitingpractitionerinvolvementinthedeliveryofeachmodule- Acosteffectivepathwaytointernalauditcareerdevelopment.
AnnualcoursefeesforSeptember2013andJanuary2014enrolmentsare£7,500(fulltime)or£4,500(parttime)andincludealllearningmaterialsandsubscription/examinationfeespayabletotheIIA.
Forfurtherinformation,pleasevisitourwebsite:www.bcu.ac.uk/[email protected] or 0121 331 6595 / 5623.*StudentsmayoptforastagedentrytostudythatrecognisesexistingachievementsandprovidesexemptionsforrelevantprofessionalqualificationsandwillallowfullqualificationofCMIIA,subjecttocompletionoftheappropriateexperiencejournal.
Surey_PBoro_.indd 1 20/06/2013 12:41
corporate governance recruitmentLondon & City
Principal Internal AuditorLondon£37–40,500+BensAs a result of a promotion this growinglocal government shared service is lookingto recruit an experienced Principal InternalAuditor. You will be expected to efficientlydeliver a comprehensive internal auditservice, covering the full range offunctions across their local authorityclients. Ideally you will hold the CMIIAqualification or a recognised accountancyqualification and have at least three yearsinternal audit experience.
Trade Finance Internal AuditorLondon£55–75,000+BensThis UK subsidiary of an international bankprovides trade, structured and projectfinance to its international client base. Theyare seeking an internal auditor with strongtrade finance experience. Ideally this willhave been gained via audit but candidateswith strong relevant operational experiencewho can demonstrate enthusiasm totransfer into internal audit will also beconsidered. The role will encompassspecial ad hoc assignments.
Audit ManagerLondon£75–85,000+BensThis well known investment manager isseeking an experienced asset managementauditor to perform front to back reviewscovering all trading and other areas of theirbusiness. They are a class leader in LiabilityDriven Investments (LDIs) and also havesignificant Fixed Income and Equity, RealEstate and Private Equity portfolios. You willmanage complex audits in an environmentthat offers a good work life balance and theopportunity to develop in the business.
Audit Manager/Senior ManagerLondon£CompetitiveOur client is a successful banking group.They are restructuring to better align theinternal audit team to specialised businessfunctions. Covering retail banking productsand the back office processes associatedwith these, your remit will include currentaccounts, credit cards, savings, mortgages,loans and fraud operations. You will have abackground in audit or risk managementwith detailed products experience or astrong operations background.
For further details of positions inLondon/City contact AlexiaDemetriou 020 7936 [email protected]
Regions
Senior Internal AuditorReadingTo£55,000+BensThis leading global distribution group isseeking a senior internal auditor to join itscorporate audit team. You will provideindependent and objective assurancearound internal controls, procedures,corporate governance, compliance, USGAAP and FCPA requirements. You musthave excellent commercial skills, beprofessionally qualified and have at least 5years internal and/or external experience.Expect up to 40% international travel.
Group Internal AuditorHertfordshireTo£55,000+BensAn exciting group internal auditor role hasarisen with this successful FTSE group. Youwill be required to plan, execute and reporton internal audit reviews of business units,processes or identified areas of riskexposure across the Group. This is anautonomous role involving variedinternational travel. You must be able towork on your own initiative, be auditqualified and have at least four yearsrelevant internal audit experience.
Senior AuditorYorkshire£30–50,000+BensOur client is a long established and highlysuccessful financial services group. As amember of their progressive internal auditteam you will be responsible for reviewingthe systems and controls established bymanagement and the Executive. At seniorauditor level this will typically entail leadingmedium scale / relatively complex audits,assisting with the management of the auditteam and liaising with senior stakeholderswithin the business.
Assurance OfficerCheltenhamTo£32,000+BensThis household name general insurer isseeking an assurance officer / internalauditor. You will be joining an establishedinternal audit department and will berequired to provide independent, objectiveassurance and consulting servicesdesigned to add value and improvebusiness operations. Financial services orinsurance based experience is desirabletogether with well developedcommunication and interpersonal skills.
For further details of positions inthe Regions contact David Jarrold020 7936 [email protected]
IT Audit
Senior IT AuditorNorth WestTo£45,000+BensA unique opportunity for an ambitious ITauditor has arisen with this successful,growing customer focussed group.Reporting to the Head of IT Audit you willwork closely with IT stakeholders toimprove the technology controlenvironment and deliver the annual IT auditplan. A first class communicator withenergy, drive and a commitment tomaintaining a high level of performance isrequired for this fast paced group.
Senior IT Audit ManagerLondonc.£75,000+BensThis diverse banking group is seeking anexperienced IT auditor to manage thedelivery of complex applications led andintegrated reviews. You will help provide aservice that makes a real difference to riskmanagement by working in partnershipwith stakeholders and ensuring reviewsare delivered on time and in line withquality standards. You should be CISA/QiCAqualified, with experience of managingaudits in a large complex environment.
Manager – Change AuditLondonTo£65,000+Car+BensWorking for the largest specialist changeand transformation team in London youwill provide assurance on key projects/programs. Applicants must haveexperience of project/program assuranceand any previous project managementexperience is highly desirable. You willmanage relationships with programdirectors and project leads and thereforeit is essential that you are highly credibleand fully understand project lifecycles.
Senior IT AuditorSouth WestTo£50,000+BensOur client is a specialist financial serviceprovider with an excellent reputation inits market. Working closely with the Headof Internal Audit you will be the sole ITaudit resource and will help devise anddeliver the annual IT audit plan. To meetthe requirements of the post you mustbe CISA/QiCA qualified with IT auditexperience gained ideally from a financialservices provider who outsources its ITfunction.
For further details of positions inIT Audit contact Daniel Flynn020 7936 [email protected]
AuditRisk
Compliance
Security
Legal
Treasury
London
Edinburgh
New York
Dubai
Hong Kong
Singapore
Barclay SimpsonBridewell Gate9 Bridewell PlaceLondonEC4V 6AW
020 7936 2601
Barclay Simpson Scotland9–10 St Andrew SquareEdinburghEH2 2AF
0131 209 7850
SRS17267-BarSim-DPS-July 13:DPS 14/6/13 10:17 Page 1
t
Visitwwwwww..bbaarrccllaayyssiimmppssoonn..ccoommto access a vast range of freeonline resources…
• Search hundreds of audit vacancies• Find your current market value• Information on where best to live
and work• Focus on Computer Audit• Latest information on qualifications
Barclay Simpson hasbeen awarded theDiversity AssuredRecruiter accreditationunder the REC’s‘Diversity Initiative’.
For more details visit:www.barclaysimpson.com/equalopps
Scotland
Conformance Testing AVP Glasgow£Excellent+BensOur client is a global investment bank withan expanding presence in Scotland. Theyare looking to recruit an experiencedInternal Audit Manager to work within anewly created conformance testing team.This second line role will require you toplan and deliver internal controls reviewsacross all areas of operational, marketand credit risk. You will undertake controlstesting and make recommendations toimprove their effectiveness.
Senior Internal Audit ManagerEdinburgh/Glasgow£45,000+BensWorking in this international consultancyyour role will be to deliver a high qualityoutsourced and co-sourced internal auditand assurance service to clients acrossthe construction, manufacturing andfinancial services sectors. You will managea portfolio of work ensuring internalcontrols are operating effectively andagreeing control improvements with clientswhere required. Previous consultancyexperience would be desirable.
Internal Audit Manager–ChangeEdinburgh£Excellent+BensThis is an exciting audit role completingprogram assurance audits across a widerange of change and transformationprograms within this successful retail bank.This role will involve significant interactionwith change managers to ensure thatpotential business risks are identified andinternal controls are fit for purpose. Youshould be able to demonstrate relevantaudit experience gained withinconsultancy or financial services.
For further details of positions in Scotland contact Liam Hughes0131 209 [email protected]
International
Risk and Control ManagerFrankfurt To£100,000+BensOur client, an international banking group,is seeking an experienced audit managerto assess and co-ordinate risks within itsGerman subsidiary. This will involveworking closely with business managers,external auditors, regulators and otherstakeholders to identify all major risks andensure adequate controls are initiated andmaintained. Strong communication skillsare required, including German, and alsowell developed commercial skills.
Head of AuditDohaTo£95,000 Tax FreeThis leading Qatar bank wishes to recruit aHead of Corporate and Credit Audit. Basedin Group headquarters and managing a midsize team, you will be responsible forassessing credit risk and managing theaudits of all corporate credit activity. Youwill have gained an in-depth understandingof credit risk in relation to corporatebanking and feel confident in liaising withsenior risk and commercial managers oncontrol issues.
Senior Internal AuditorMonacoExcellent package
This energy services company is seekingan experienced internal auditor.Undertaking reviews of IT, financial andreporting risk throughout their operations,you will assess the adequacy of controlsand propose improvements. Previousexperience of auditing within a projects orcontracts environment such as oil and gasor construction is preferred. Working inEnglish a second European languagewould be useful.
For further details of International positions contact Marie Marchi020 7936 [email protected]
Market Report 2013Market Report 2013• Up to date overview of theeconomy and its impact oncorporate governance
• Sector analysis of thedemand for internalauditors
• Review of salaries
• Outlook for the future
Download your free copy at: www.barclaysimpson.com
Nationwide Interim Opportunities
Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte [email protected]
www.barclaysimpson.com/interimsolutions
South-Coast Internal Auditor Commerce £250 per dayLondon Change Auditor Financial Services £400 per daySouth-East Audit Consultant Asset Management £500 per dayCentral London Audit Manager Capital Markets £500 per dayNorth-East Senior Auditor Banking To £50,000 pro-rataLondon Audit Manager Retail Banking £350 per dayEast Midlands Senior Auditor Financial Services £250 per dayLondon Internal Auditor Insurance £450 per dayNorth London KPI Auditor Central Government £125 per dayLondon IT Auditor Consultancy £450 per day
SRS17267-BarSim-DPS-July 13:DPS 14/6/13 10:17 Page 2
corporate governance recruitment
Barclay SimpsonBridewell Gate9 Bridewell PlaceLondon EC4V 6AW
020 7936 2601 www.barclaysimpson.com
MI5 helps protect the UK against threats to national security including terrorism and espionage. The InternalAudit team plays a critical role in helping MI5 manage its risks effectively and we currently have a vacancy fora Senior Internal Auditor.Reporting to the Deputy Head of Internal Audit, you will deliver risk-based audits across a number of business areas includingoperational, security, financial and organisational risks. This is a challenging and varied role and, working alongside MI6 auditors,you will have the opportunity to conduct audit assignments in both MI5 and MI6.
Working with stakeholders of all levels, you will have the ability to foster positive and productive working relationships and will actas a catalyst for improvement by exploring current practices, challenging traditional approaches and making value-addingrecommendations clearly, succinctly and robustly. A pragmatic approach is important for success in this role.
You will be a confident communicator, producing written reports, delivering presentations and conveying technical concepts tonon-technical colleagues. You will also need strong data analysis, decision making and problem solving skills and sound judgement.
A full audit or accountancy related professional qualification, such as CMIIA or CCAB, and practical, recent experience ofdelivering a range of risk-based internal auditing assignments within deadlines are essential.
You should also have basic project management skills and the ability to assimilate large volumes of information quickly, scope andconduct audits and lead reviews. Experience of working within the security intelligence sector is not necessary as you will be givena comprehensive induction. You will be comfortable working both autonomously and as part of a team.
Applicants must be born or naturalised British citizens and normally have been resident in the UK for 9 out of the last 10 years.Discretion is vital. You should not discuss your application, other than with your partner or a close family member. To find out moreabout us, visit www.mi5.gov.uk/careers
Closing date for applications is Monday 29th July 2013.
To request an application pack please contact David Jarrold [email protected] or Daniel Flynn [email protected]
Senior Internal Auditor £36,000–£48,000 + audit allowanceLondon based with some UK and overseas travel
Audit&Risk-BP MI5-July13:Audit&Risk-BP MI5-Feb12 14/6/13 10:22 Page 1