The big pay-off: what impact has the Bribery Act 2010 had in its first year in force? Takeover bid: why internal audit should play a bigger role in mergers and acquisitions Like it (or not): dealing with the business risks of Facebook andTwitter
b. a fundamental change in your audit approach; especially the overthrow or renunciation of one system substituted by TeamMate c. a changeover in use or preference especially in Audit Management Systems
# o f audit departments adopting TeamMate each day # o f Languages in which TeamMate is available # o f Countries in which TeamMate is Licensed # o f auditors using TeamMate daily # of CPD hours delivered in past 3 years
1 14 105
90,000 104,000
Contents
Issue 7 September/October 2012
18
The big pay-off: what impact has the Bribery Act 2010 had in its first year in force? Takeover bid: why internal audit should play a bigger role in mergers and acquisitions Like it (or not): dealing with the business risks of Facebook andTwitter
22 26
18
Front
3 The IIA view
From the CEO, Ian Peters.
Published for the Chartered Institute of Internal Auditors byCaspian Media Ltd, Unit G4, Harbour Yard, Chelsea Harbour, London SW10 0XD 020 7045 7500 Editors Keith Ryan keith.ryan@caspianmedia.com 020 7045 7543 Alice Hoey alice.hoey@caspianmedia.com 020 7045 7554 Chartered Institute of Internal Auditors info@iia.org.uk www.iia.org.uk 020 7498 0101 Subscriptions membership@iia.org.uk 020 7498 0101 Advertising Ian Mehrer ian.mehrer@caspianmedia.com 020 7045 7596 Creative director Nick Dixon Art editor David Twardawa Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited. ISSN 2048-8408.
Features
14 Running rings around risk
Mary Hardy, head of riskassurance for London 2012, on rising to the Olympic challenge.
REGULARS
30 Tools for the job
Resources, books and advice to help you perform.
5 World view
From Richard Chambers, IIA Global president and CEO.
18 Your move
Why internal audit should get more involved in mergers and acquisitions.
33 You asked us
Experts answer readers technical questions.
8 Update
The latest news affecting the profession.
34 IIA update
Institute news and membership matters.
10 Vital statistics
Thomson Reuters study of the state of the function.
36 Student noticeboard
Essential information for exam candidates.
12 Conference preview
A guide to the highlights.
26 Socially acceptablerisks
Why Facebook and Twitter are an internal audit matter.
Continually striving to deliver business assurance and best practice providing: High quality software products Vital training courses and educational seminars Customised comprehensive consultancy services
For further information call us on +44 (0)1892 512348 or check out our web site at www.auditware.co.uk
The involvement of a number of banks in attempts to manipulate Libor has intensified the debate about the change of culture thats needed
guidance for the sector, which will build on the International Standards.The production of the guidance will be overseen by a committee comprising representatives of the internal audit profession and key
Post your comments about this article or the issues raised at www.auditandrisk.org.uk
T h r e e w e e k s t og o h a v e y o ur e g i s t e r e dy e t ? R e g i s t e r n o wf o r t w oo r mo r e d e l e g a t e s a n d r e c e i v e a 1 0 %d i s c o u n t ! T h e 2 0 1 2c o n f e r e n c e b r i n g s t o g e t h e r l e a d i n g i n t e r n a l a u d i t p r o f e s s i o n a l s , b u s i n e s s e x p e r t s a n db e s t p r a c t i c e o r g a n i s a t i o n s a c r o s s a l l s e c t o r s .C r e a t e a p r o g r a mme t h a t s u i t s y o ua n dl e a v e w i t ht h e t o o l s , t i p s a n d a d v i c e t or e s o l v e y o u r i n t e r n a l a u d i t i s s u e s w h e ny o ur e t u r nt ow o r k .
If the audit committee doesnt assume strong oversight, whose fault is it?
audit teams are increasing headcounts and budgets, but CAEs are looking for different skills from those they sought a year ago. Then they preferred candidates with industry-specific knowledge. Now they want critical thinkers or excellent communicators. Todays audit plans are the most balanced they have been for a decade, since SarbanesOxley and similar legislation led to a demand for financial auditing knowledge. With this shift in priorities has come a demand for
2012 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting rm and does not issue opinions on nancial statements or offer attestation services. PRO-0812
Rather than be the inspector that it once was, internal audit must be the adviser and risk specialist that it is today.
Carolyn Dittmeier, president of the European Confederation of Institutes of Internal Auditing
The European Confederation of Institutes of Internal Auditing represents national internal audit institutes in 36 countries andis part of IIA Global. One of our missions is to promote improvements to risk management, internal control and corporate governance systems among European organisations in all sectors. When trying to raise standards across the board, it can help us to look at the characteristics of sound corporate governance and internal control systems. Isthere a common factor? I believe we need a model that is not one size, but is fit for all a model that is fit for every single entity, yet has enough flexibility built in so that it doesnt prevent businesses from achieving their strategic objectives. So how can that work? First, lets look at the four attributes shared by all organisations with sound corporate governance and internal control systems: board responsibility, board competence, a risk framework and the three lines of defence (3Lod) model. Most internal auditors agree that the board or governing body of an enterprise assumes ultimate and full responsibility for its risk management and control.This is one size that does fit all. There is also consensus about the boards competence. Its members skills must be adequate and diverse enough to ensure the capability of its oversight over the commercial, financial and risk aspects of the organisations activities. But, while we may agree on what boards should be doing, experience tells us that not all of them are getting it right. We need to look at how the boards mandate is achieved in practice.This brings me to the third factor: the risk framework.To develop a sound corporate governance system, a board must adopt one
of the several available international frameworks on risk management. Doing so forces it to set the foundation for a structured process of risk management throughout the organisation.The one that I prefer the enterprise risk management framework gives the board the right structure for its internal control framework and the tools it needs in order to oversee this effectively. Butit tailors that framework to the business itself.
I believe we need a model that is fit for every single entity, yethas enough flexibility built in
There is one final minimum requirement on which consensus should be sought: 3Lod, which makes internal audit integral to the governance process and the success of an organisation. Internal auditors are experts in control and accountability and, time and again, their work shows that weak governance can arise where duties are excessively combined or are partially duplicated. If roles are not properly segregated or articulated, or if there is duplication, it can create confusion and a lack of accountability, which ultimately weakens
the governance objectives for which these roles were intended. Our research shows that the 3Lod model is highly effective where roles are made clear at the outset and resources are properly measured. Line management must, of course, assume a primary role and second-line functions must create checks and balances. But, left on their own, imbalances in risk management can arise, because there is a lackof integration in a true single mission anda unified risk governance.These imbalances can be detected by internal audit and brought to the boards attention. But, rather than be the inspector that it once was, internal audit must be the adviser and risk specialist that it is today. Studies have shown that a well-structured and properly resourced internal audit function can make an entity more resilient. Perhaps this is why 90 per cent of EU corporate governance codes require or recommend internal audit for independent assurance. So European organisations must create a corporate governance framework that meets the demand for proportionality, but forms the basis of rigorous internal governance, based on the four aspects of board responsibility, board competence, a risk framework and the 3Lod model. If this can be achieved, we will be well on our way to creating a common understanding of good corporate governance and a clearer role for internal audit.
Additional news, features and views are posted online all the time. Go to auditandrisk.org.uk to see whats new.
UPDATE
update for basel guide on internal audit supervision
The Basel Committee on Banking Supervision has issued revised supervisory guidance for assessing the effectiveness of internal audit in banks. The document, entitled The internal audit function in banks , builds on thecommittees principles for enhancing corporate governance, which require banks to havean internal auditfunction withsufficient authority,stature, independence, resources and access to the board. The new guidance replaces the 2001 document Internal audit in banks and the supervisors relationship withauditors .
We round up the latest business and regulatory news to affect the internal audit profession.
Global poll uncovers IT governance shortfalls
Nearly a quarter of respondents to a worldwide survey of IT security issues said that management had little involvement in IT governance. The poll, by the Information Systems Audit and Control Association (ISACA) also found that 22 per cent of organisations had experienced a security breach in the past 12 months, while 47 per cent had incurred an unexpected cost owing to an IT-related problem in that time.
Business risk a practical guide for board members can be downloaded from bit.ly/PfCrzm
Coso issues paper on cloud risks The Committee of Sponsoring Organizations of the Treadway Commission (Coso) has published guidance on how to follow the principles of Cosos integrated framework for assessing and mitigating the risks arising from cloud computing.
To download Enterprise risk management for cloud computing, visit www.coso.org
REPORTAGE
What do you spend most of your time on?
Assurance on internal control processes.
10
Thomson Reuters canvassed the views of more than 1,500 internal auditors witharange of backgroundsfrom around the world on the state of the function andthechallengesfacing it. The survey found an evolving profession, focused oninternalcontrol,ITsecurity, risk management, compliance and fraud.
IT security. Process-level riskmanagement. Legal and regulatory risk. Protecting against fraud andcorruption.
The responses reflect the demands of increasing regulation, a renewed focus on fraud and corruption, a greater need for risk management and the pressure to achieve more with less.
57% 39%
39% 36%
30% 25%
13%
Yet, despite the growing focus on risk, many organisations lack robust risk management processes.
45% Implemented, but requires extra work and resources. 19% In the development stage. 15% Immature. 12% Robust and embedded framework and resources. 9% We dont have a formal programme or resources.
Despite being strongly urged to have a formal compliance function by regulatory and enforcement bodies such as the Basel Committee on Banking Supervision, the FSA and the US Department of Justice, only 59% of those surveyed have one.
Non-compliant on compliance
11
63% Quarterly.
16% Monthly.
Reporting was rated as the most mature of all the processes surveyed.
Conference preview
Aiming high
Do you demand the best from your internal audit function? And, given the many and varied expectations of audit committees, executives and regulators, what does the best mean? These questions will form the starting point for the IIA annual conference and underpin an impressive programme of presentations, round-table discussions andinteractive break-out sessions.
Designed to provide inspiration and practical guidance, this years conference programme will also give members the opportunity to network and share experiences and ideas. Day one focuses on the changing regulatory environment, its impact on organisations and the potential role of internal audit. As board and stakeholder expectations concerning the importance of effective governance, risk management andcontrol have risen, how must the profession respond and what does that meanin practice? The Information Commissioners Officehas developed its own data protection audit programme and Graham sees internal audit as an important ally in the task of securing compliance. Together we need toembed information rights risks into the scope of internal audit, he says. who are really passionate about our business and what they do. Also offering guidance on best practice will be Ian Haldenby, internal audit director at HMRC and previously head of internal audit for both the Department of Education and the Home Office. Looking specifically at effective tools and techniques in internal audit, Haldenby will share his experience of working in the private and public sectors, and what helped and sometimes hindered his teams ability to deliver. Meanwhile, John Adlam, group chief internal auditor for Legal & General, will examine how internal auditors can deal with the unprecedented changes they are facing. Change equates to increased risk, he says. Internal audit is expert in risk and control; itmust be engaged in change initiatives. Adlam will emphasise the need, among other things, for internal audit to be proactive, take a partnership approach and add value. Demonstrating our worth is a constant challenge for the profession, especially in these difficult economic times, he says. We must demonstrate financial value and justify what we do. For more informAtion The 2012 IIA conference takes placeon 25-26 September at 1 Wimpole Street, London. To book your place, visitbit.ly/cryI7f
12
Pentana Vision
14
Working on London 2012, the busier things get, the more you tend to lose perspective on what it is youre actually involved with, says Mary Hardy, speaking to A&R two weeks before the London 2012 Olympic and Paralympic Games opening ceremony. But then, when I watch the progress of the Olympic torch or, as we occasionally get to do, visit the venues during test events, Im reminded of just how exciting the whole thing is and how incredible it is to be a part of it. Mary Hardy was reconsidering her position at Transport for London (TfL) when she was headhunted for the role of head of risk assurance at the London Organising Committee of the Olympic and Paralympic Games (LOCOG).The position would last the lifetime of the games and upuntil March 2013, owing to the ongoing work involved in the insurance programme and the dissolution of the business. Aside from the fact that it was clearly a once-in-lifetimeopportunity, one of the things that appealed to me about this position was its fixed term, she explains. Ihad been considering moving on fromTfL, having been there for some time, but was reluctant to commit to another four or five years as a head of internal audit. Since joining LOCOG in November 2009, Hardy has worked with a team of two internal auditors and a senior manager at KPMG, to which she co-sources work depending on the volume and specialisations required at the time. Now that her pre-games plan is complete, the internal audit team, together with a financial control department, are set to
When you have the riskassurance for one ofthe biggest events inUK sporting history weighing on your shoulders, it doesnt payto dwell on it. Fortunately, LOCOGs MaryHardy has been fartoo busy to give her burden ofresponsibility toomuch thought.
Words: Alice Hoey Photographs: David Short
When I watch the progress of the Olympic torch, Im reminded of just how exciting the whole thingisand how incredible it is to be a part of it
15
Aside from the potential damage to the reputation of LOCOG and the nation, we cant afford to lose money through fraudulent activities
conduct compliance-type audits throughout the games, before tackling the audit work associated with the earlystages of the post-gamesdissolution.
Starting blocks
16
I joined LOCOG when it wasstill a fairly small organisation of about 350 people, Hardy recalls. There hadnt been much internal audit work done because there wasnt much to audit. My first task was to write an audit plan for the lifetime of the games, from 1 April 2010 to the end of 2012. My colleague at KPMG and I tackled this in a fairly traditional way.There was only a skeleton risk management process in place at the time, as it was such a small organisation, so we based our plan on business strategies that were being updated, discussions with senior management and our own expertise. Was it difficult to plan assurance for a temporary event of this scale? Not really, says Hardy. It was clear what the main riskswould be: will we raise enough moneyto pay for the event? How robust willthe transport and security provisions be? And how will LOCOG cope with the enormous explosion and the subsequent disappearance in the number of people working for it? As she explains, LOCOG grew at an incredible rate. By the opening ceremony, the best part of 200,000 people were working for the games a mixture of paid staff, contractors and volunteers from onlyabout 5,000 at the end of March. There are obvious risks concerning howyou bring all these people on board, train them and deal with all the other employment processes, both during the games and afterwards, when there will be amass exodus, Hardy says. Combating fraud is also understandably high on LOCOGs agenda. While counterfeit
tickets and fake merchandise are dealt with by a separate brand protection team within the legal function, which works with the Metropolitan Polices Operation Podium, corporate fraud falls within Hardys remit. Aside from the potential damage to the reputation of LOCOG and the nation, we cantafford to lose money through fraudulent activities, she says. Thats why, right from the outset, we put in place ethical compliance policies, speak-up procedures and confidential hotlines. Everyone who works for LOCOG also has to pass an e-module on ethical compliance as part of their induction process and then must refresh that every 12months. LOCOG has run fraud awareness workshops in association with Operation Podium for newrecruits in key departments
such as procurement and HR.The finance team has also attended fraud workshops runby the Bank of England. Weve worked very hard to put anti-fraud measures in place, but no moreorless than I would expect from anylarge organisation with a reputation andbudget toprotect, Hardy says.
Team effort
Looking back at the original audit plan, Hardyis satisfied that her team got the scoperight. While the way that we have deliveredaudits has changed quite a bit sincethe start, the content of that plan hasaltered very little, aside from a few tweaks asLOCOG has evolved. She had also correctly anticipated thatdelivering the plan would become
Everyone who works for LOCOG has to pass an e-module on ethical compliance as part of their induction process
17
increasingly difficult as the games approached, as people found themselves with less and less time to devote to the auditprocess. There would also be major areas of assurance that were not the direct responsibility of LOCOG and Hardys internalaudit team.Transport, which is beingdelivered primarily byTfL, is the obvious example. If something were to go wrong, it couldrepresent a huge reputational issue forLOCOG, the games and the UK, Hardy says. However, you cant audit reputation risk; you simply have to put adequate processes in place to ensure that matters dont turn intoa reputational problem. Youalso have tounderstand and rely on what others, suchas TfL, are doing to manage riskson your behalf and theirs.
To help the audit committee understand what assurance falls within LOCOGs remit, Hardy designed an assurance map detailing what the risks are, who is managing these and what assurance is being provided.
Start to finish
As final jobs before retirement go, Hardys can certainly be considered a climactic flourish to an impressive career. Having cut her teeth at Ernst &Young, where she stayed for 19 years and became a partner, she joined Guinness in 1996, a year before it merged with Grand Metropolitan to form Diageo. As director of group audit and assurance, my task was to merge together the audit functions of these two companies, which wasa challenge because they were scattered around the world, Hardy says. I also developed and implemented the risk management processes that were necessary to comply with the Turnbull reports requirements, which were new at that time.
Hardy faced a comparable situation when she joined TfL in 2001, only a year after it had been established. In effect, we were starting something from scratch, shesays. Then, when London Underground merged with TfL in 2003, I once again had to merge two audit functions to produce something that worked for TfL, which was quite a different animal from London Underground. Im proud of my achievementsin both of these roles, as I was responsible for overseeing quite radical changes in the internal audit departments to create something new and effective. As this issue of A&R goes to press, the Olympics have finished on a triumphant, euphoric note, and LOCOG andTeam GB canbreath a collective sigh after a job well done. As Lord Coe noted, Britain did it right. ForHardy and her team, the work continues, but the full burden of responsibility has lifted. At this point she can perhaps reflect on the unique and essential role that she played in the London 2012 spectacle.
Internal audit has a strong case to argue for its involvement from the very outset of a merger or acquisition
18
Effective timetabling is an invaluable asset and can be a dealbreaker if management wants tocapitalise on the merger quickly
Your move Internal audit can be an invaluable tool to provide assurance during mergersand acquisitions, but management may notalways be aware of theprofessions skills.
Words: Neil Hodge
help from the start of the process. Theresearch found that internal audits contribution was limited to thedue-diligence phase and the post-acquisition audit. Ten years later, it appears that littlehas changed: internal audit would like to be more involved in the M&A process from start to finish, butrarely is. Why is this the case? Atypical barrier is that internal audit lacks hands-on M&A experienceand so its involved only at certain times and in specific roles. Internal audit has a strong case toargue for its involvement from thevery outset of an M&A, says DavidCoombs, an internal audit andrisk management consultant. But management is unlikely to include internal audit unless it has a proven record of adding value through the audit process or of beingactively engaged in M&A work. In reality, how many organisations are there where internal audit can putits hand up and say it has that kindof reputation?
Prove yourself
Some internal auditors have successfully forged that reputation. Rainer Lenz CMIIA is vice-president ofinternal audit at pharmaceuticals company Actavis an organisation, he says, that has grown by acquisitionsince it was founded. M&Ais a core business process as far as we are concerned, he says. Lenz says that he gets involved inproviding risk assessments whenActavis identifies companies toacquire, adding that he has a strongbackground in M&As because he used to work in finance. He agrees with Coombs that, while internal audit definitely has valuable expertise to contribute to the M&A process, the function will not be asked to participate unless it has a proven record of earlier involvement. Management wants advice from people who have been involved at all stages of the M&A process, Lenz says. More often than not, internal audit does not have that experience, so it lacks credibility.The only way
19
hile the deals market is still far less active than it was before the financial crisis, organisations are always on the lookout for suitable targets to acquire or merge with to increase their market share. But mergers and acquisitions (M&As) have been notoriously difficult to get right once the money has changed hands. Studies and anecdotal evidence suggest that most M&A transactions fail to deliver their stated goals or achieve value. Such deals would therefore seem to be ripe for internal audits input, butan international survey conducted in 2002 for IIA Global found a low level of involvement from internal auditors at the various stages of M&As despite their willingness to
{
that internal auditors canreally convince management that they should be part of the project from an early stage is to show that they understand whats involved andwhat the inherent risks are and that they realise that most mergers fail.
Management wants advice from people who have been involved at all stages of M&As. More often than not, internal audit does not have that experience, so it lacks credibility
Adding value
Other heads of internal audit saythat their teams can take positive steps to increase their involvement in their organisations M&A strategies, while also demonstrating the value they can add throughout the process. David Finch CMIIA, director of group business risk and assurance at building supplies retailer Travis Perkins and a member of the IIAs Heads of Internal Audit Service, explains that internal audit has a valuable role to play at several points along the M&A path. Before any M&A activity starts, internal audit can review the process that an acquisitive company might go through when undertaking a theoretical takeover, he says. This would include a consideration of funding potential for example, does the organisation have themeans to execute a M&A shouldthe opportunity arise? Itsuseless wanting to buy a business but not having the cashdeposit available or the support of shareholders for the issuing of shares before you even start, he says. Finch also thinks that a review of the valuation modelling
20
techniques used by the business toset its acquisition price is another important area for internalaudit involvement. Asset values, earnings multiples, discounted future cash flows and so on will all provide a different answer aboutthe businesss value, he warns. This might affect whether the company decides togo ahead with the acquisition, because it may deem the target organisation too expensive or decide that the business does not hold the commercial value first thought. Finch says internal audit may also have a role in the validation of assets and liabilities. Stock may physically exist, but does it hold a value? For example, surplus promotional stocks relating to a campaign run six months ago,obsolete packaging, time-expired stock and so on all hold a material value, but not quite the degree of value first thought, he says.
theOffice of FairTrading willnodoubt getinvolved. Anappreciation of whether the regulator will refer theacquisition tothe Competition Commission or require a compulsory divestment can influence the M&A strategy.This should be considered by the organisation before making a bid, he says. Neale Andrews, head of the corporate and commercial practice at law firm Mundays, which undertakes M&A work,
also believes that internal audit can add real value by getting involved in the process before the acquisition. For example, internal auditors can help to identify how long the process might last. Effective timetabling is an invaluable asset and can be a deal-breaker if management wants to capitalise on the merger quickly, he says. There are other areas where internal audits skills can be used to great effect. Andrews says that internal audit can identify potential hidden costs, such as legal liabilities, and help to arrange indemnities to ring-
fence the acquirer from having to pay for them or to reduce the purchase price of the target. The profession can also showits value during the implementation. At particular stages in the acquisition, management should be stepping back and taking stock of what it planned to achieve by certain dates and whether those plans have crystallised, Finch says. Days one, 30, 60, 90 180 and 365 are the normal points. As with any project, theres a danger that the benefits will be overstated and the costs understated. So internal audit can work with the
M&A project manager to give some validity to statements that are made. Detailed planning for these milestone dates will give credibility to the M&A, so assessing the extent by which each activity has progressed can add real value, he says. Internal audit is also well placed to assess the M&As success when its completed. Once the dust has settled, internal audit can clearly conduct a post-investment review, Finchsays. This might be in the remit of internal audit, or line management could do it, with internal audit reviewing the
effectiveness of the M&A itself. The purpose should be to see what could be done better in the future, rather than identifying victims of the activity. Yet, despite the skills that internal audit has to offer, some believe the status quo will remain: the catch being that, without experience, internal audit lacks credibility and so cannot gain the experience it needs in order to prove itself. David Coombs believes that whether internal audit actually gets more deeply involved in the M&A process or not depends on managements viewpoint and the structure of the organisation. Management may call on internal audit for assurance and advice on specific aspects when it feels that the function can add value, but not necessarily call on it to have an ongoing role throughout, Coombs says. If you already have skills in-house that can help to ensure success, these should be used, headds. But internal audit is also a function thats accustomed to challenging the thinking behind business strategy and standing up to management andits certainly useful to have an independent voice that can take a more detached view of how the deal is going, the risks involved and the controls needed and of what should happen after implementation. for more information To have your say on this andother issues, go to auditandrisk.org
21
While the government and the Serious Fraud Office have stressed that they will make no exemptions, theyve recognised that facilitation payments will take time to eradicate
The introduction of the Bribery Act 2010 last summer toughened the UKs stance against corruption by individuals and organisations both here and abroad. While some welcomed it as a necessarily strong measure, others feared that it could, by criminalising normal business practices, put British companies at a competitive disadvantage. Has its impact been as great as expected? We seek five expert views on the acts effectiveness or otherwise so far.
1
More thought could have been given to explaining what is expected of companies
Geoff Nicholas, CMIIA, head of global investigations group, Freshfields Bruckhaus Deringer, and a member of the IIA Heads of Internal Audit Service.
act. While the government and the Serious Fraud Office have stressed that they will make no exemptions, theyve recognised that such payments will take time to eradicate. They have offered some comfort by stressing that, providing that firms make reasonable efforts to eradicate such payments from within their own businesses, it wont be a focus of attention. Butthis itself is confusing: what, for example, are reasonable efforts? More thought could have been given to explaining what is expected of companies and more information on what support might be available to those operating in high-risk countries. There has been a significant increase in awareness of, and activity against, bribery, but not solely because of the act. Recent high-profile prosecutions and costly resolutions in the US, as well as new legislation in countries such as China and Russia, have all shown that it is being seen as a significant area of risk. The necessary modifications wont be made over night, especially where there needs to be cultural change and when it involves firms operating in global markets. Its not only about senior managements understanding of how the act affects the business and the changes that must be made. Its also about instilling this understanding across the organisation and in the business partners it works with in different markets. When certain practices are ingrained in your day-to-day operations, it can be difficult to turn them off.
International law firm Freshfields has helped clients worldwide to understand the implications of the law and the steps they can take to protect themselves from liability. Nicholas has led his firms response to the act. The main concern for businesses and the media before the act came into force was its implications for corporate entertainment and hospitality. People have since understood that, providing that adequate approvals processes are in place, it neednt be a constraint. But it has led many to review how they deal with hospitality, with companies changing their processes as a result. The biggest impact on our clients has concerned their dealings with third parties, intermediaries and agents, especially in new markets where theyre trying to expand. The incidence of bribery in many key emerging markets is relatively high. Whether businesses are making an acquisition, entering a joint venture or engaging a third party, weve seen them really ramp up their anti-bribery and corruption due diligence. Most have reviewed their compliance procedures and some have established new ones. Many have also significantly strengthened their internal compliance functions, sometimes creating dedicated compliance teams. Another big issue and one on which there could have been more clarity is facilitation payments. These relatively small sums, sought by some nations government officials as a matter of routine, constitute bribery under the
23
Anne Hayes,
corporate assurance, Imperial Tobacco, and a member of the IIA Heads of Internal Audit Service.
In November 2011 the BSI launched BS10500, astandard aimed at helping organisations to show that they have robust anti-bribery systems in place. While many organisations havethe know-how and desire to address the risks, few have a formal framework to work to. Having such a tool is useful, as it requires you to document all your anti-bribery activities; to train people addressing the issues in the organisation; and to educate everyone throughout the business about their responsibilities and the procedures in place. To do that effectively, you must also have support from the top of the organisation. Since the launch of BS10500 weve seen interest from companies of all sizes, but particularly large supply-chain organisations that are active subcontractors. These businesses are under considerable pressure from UK and international regulatory bodies, as well as from internal and external stakeholders, to demonstrate that they have in place appropriate measures to prevent bribery. As such, and especially since the release of the Bribery Act 2010, its an issue that has risen up the corporate agenda. The BSI recently held an event where firms discussed the value of implementing BS10500 asthey consolidate their anti-bribery measures. The overriding message was that implementing such a standard was a great chance to ensure that they had robust formal processes, systems and practices in place against bribery. The act of implementing it enabled them to identify any areas of risk in their client systems and then take appropriate action.
25
David Johnson CMIIA, acting head of internal audit, Department for International
Development (DFID), and a member of the IIA Heads of Internal Audit Service.
benchmarking our processes against the Ministry of Justices adequate procedure principles. The act has helped us to increase awareness within the DFID, deliver onour mandate to drive out corruption inour programmes and spread the anti-bribery culture. For example, we have introduced initiatives to help us gain assurance on the people we work with and ensure they are aware of their responsibilities under the act. This includes installing new due diligence procedures, providing an e-learning course and piloting stronger methods for identifying risks in partner bodies that use our funds. These initiatives help to safeguard DFID money and reduce the risk of reputational harm. Promoting sustainable development and eliminating world poverty are key aims of the DFID. As a strong promoter of good governance and opposer of corruption, the DFID welcomed the act and the increased scrutiny, support and guidance we anticipated it would bring. We needed to make sure we were ready for its impacts on the delivery of ourwork in insecure environments and on the safety of our staff there. To prepare, weconsidered our risk exposure and adopted preventive controls by consulting our country offices and Management is primarily accountable for the risk, but my team has a clear mandate to support the business by aiding the identification and assessment of bribery risk; providing assurance on the adequacy of policies and procedures; and championing good practice. So we conducted a review and recommended improvements, which have since been implemented. We have strengthened our audit assignments via a range of initiatives, including the facilitation of fraud risk workshops, which include material on the act; sharing best practice through a departmental newsletter; and providing guidance and links to the Ministry of Justices Quick start guide (www. justice.gov.uk/legislation/bribery).
26
People trust peer-to-peer recommendations more thanads. Something that theyve read on a friends Facebook page has a greater impact and the corporate world is taking this on board
27
About 60 percent of information workers use their own devices forboth work and personal purposes Nearly threequarters of these believe that it increases their productivity
{
Exposure good and bad
Virgin Atlantic dismissed 13 flight attendants for criticising the airlines safety standards and describing its passengers on Facebook as chavs
The role of social media in the Arab springis well documented, as is its part in organising the London riots of 2011. Its clearly powerful stuff. But what can it do for organisations and is it safe to get involved?
28
Social media gives businesses the chance totalk to their customers and find out what they might be saying about their brands, according to Stephen Hill, managing directorand data security specialist at Snowdrop Consulting. It also gives them a whole new way to harvest information aboutconsumers. But the main thing is thatit exposes organisations to a much greater audience, he says. Indeed, as of May 2012 Facebook claimedto have 900 million active users more thanthe total population of the Americas (about 859 million) plus that of Australasia (39 million).Twitter reckons to have about 500 million active users. Social media is also more powerful than advertising. As Hill points out: People trust peer-to-peer recommendations more than ads. Something theyve read on [holiday review site]TripAdvisor or on a friends Facebook page has a greater impact and the corporate world is taking this on board. Ryan Rubin, UK director of security and privacy at global consultancy Protiviti, agrees about the value of social media, but points out a number of pitfalls for internal auditors to bear in mind. Social media is vulnerable to the same types of fraud as those affecting other information technologies. A typical scam is to compromise someonesTwitter account then post a link from there that takes an unsuspecting user to a corrupt site. A hacker on the outside can then come into your computer and bounce from there inside your corporate network, Rubin warns. These things are happening all the time. Criminals never stop trying to break through security systems, so users need to be warned about their tactics, while firewalls and anti-virus programs need to be updated continually. Social media sites also lay
organisations open to security risks of another kind.Think of the MI6 chief, Sir John Sawers, whose wife posted personal details on Facebook, or of a chief executive who might casually tweet his location and inadvertently alert competitors to an impending merger or acquisition. Rubin also alludes to the lonely hearts scam, in which a new Facebook contact befriends a senior executives personal assistant to gain intelligence about their bosss activities.
Word of mouth
David Willetts, minister of state for universities and science, explains how the Department for Business, Innovation and Skills (Bis) is managing the risks. The cyber-risks threatening the competitiveness of this country require co-operation and action from both the private sector and the government. Thegovernments 650m cyber-security strategy, published in 2011, sets out howthe UK will support economic prosperity, protect national interests and safeguard the public by building a more resilient digital environment (www.cabinetoffice.gov.uk/ resource-library/cyber-securitystrategy). We will shortly be reporting on progress against our targets one year on. Bis, GCHQ and the Centre for the Protection of National Infrastructure (CPNI) have also published a cyber-security guidance booklet. This provides risk guidance for boards, outlines key challenges and risks, and provides practical measures to mitigate those risks (copies can be found at bit.ly/BisCyberSecurity). More broadly, there is activity under way across the government to raise awareness ofthe threats and provide advice. Guidance for large companies is available on the CPNI website (www.cpni.gov.uk/advice/cyber), which lists 20 critical means of effective defence, along with a comprehensive range of protective measures. Tailored advice for smaller businesses and individuals can also be found at www.businesslink.gov.uk and www.getsafeonline.org. Visit www.auditandrisk.org.uk to read a longer article by Willetts on the cybersecurity challenges facing UK businesses.
You often hear that phrase what goes online stays online and its very true
The use of social media also poses a serious reputational risk. Customers, for example, can be brutally honest about a product or service, doing a lot of harm in the process. Even more damaging, perhaps, is when employees share their negative comments about an organisation.The number of cases is growing. Virgin Atlantic dismissed 13 flightattendants for criticising the airlines safety standards and describing its passengers on Facebook as chavs . A worker was sacked by Waitrose for making obscene remarks online about the John Lewis Partnership. And an employee who posted I work at Argos and cant wait to leave because its shit had his wish granted sooner than hed expected. Meanwhile, 15per cent of workers in the US told Deloittes 2009 ethics and workplace survey that, if their employer did something that they didnt agree with, they would comment about it online. Of course, there have always been unhappy customers and jaded employees. The difference now is that the complaint can potentially be seen by millions of people and wont ever be entirely removed. You often hear that phrase what goes online stays online and its very true, Hillsays. What people dont realise is that what youpost to Facebook belongs to Facebook. Its very difficult to have them remove material unless, for instance,
Criminals never stop trying tobreak through security systems, so users need to be warned about their tactics, while firewalls and anti-virus programs need to be updated continually
21
70million smart phones are lost every year and nearly one-third of their owners lose allthe data held on them, because they havent stored it anywhere else.The security implications are clear. Internal auditors need to stay aware of all the changes and provide assurance to management that the right safeguards are in place.These will include technical solutions that retain data in the network and prevent itfrom disappearing in mobile devices. Procedural measures are required, such as restricting access to customer data only to staff members who need it. Organisations need to have policies and procedures in place for their own protection, Hill says. They should already have an internet and email policy, so social media is an add-on, addressing the things that employees should and shouldnt do. Not that all the issues will be clear cut. Think of instances where an employees friend posts an injudicious picture of them online. How can they still be held liable? And when does conduct in an employees own
time reflect on their employer? People have the right to a private life under the Human Rights Act 1998, while the Regulation of Investigatory Powers Act 2000 stipulates what can be recorded in terms of monitoring peoples activities. Organisations must tread carefully to protect themselves and explain clearly what they expect from their staff. But remember that, as well as the threats, there are opportunities. A generation has grown up with the internet and finds social media a natural and productive way to communicate. Organisations need to embrace all the advantages, Rubin says. One of the biggest risks is to do nothing and then get left behind.
To have your say on this and other issues, go to www.auditandrisk.org.uk An IIA Heads of Internal Audit Service forum on social media risk and the impacton organisations will take place on 17 October in London. For more details emailjasmine.mcclymont@iia.org.uk
Scoping it out
The scope of your work as an internal auditor depends mainly on the risks that your organisation faces. But how those risks are identified and prioritised will vary from process to process, aswill the level of flexibility built into your audit plan. At the Met Office one of the organisations featured in a set of case studies published recently by the IIA and the National Audit Office the functions scope is defined by the risks prioritised by its senior management and audit committee.The risk management team deals with those risks, while internal audit liaises with it to suggest controls and review progress. The internal audit team takes an overall view of the risk and assurance landscape, says Jonathan Kidd, HIA at the Met Office. We look at the risks in key areas against corporate objectives and the risk appetite of management. Internal audit works with management to rank proposed audits on an ABC model from high to low risk. It also uses assurance mapping to identify any gaps and determine which assurance provider should review the management of that risk.This rolling plan sits in the background throughout the year, but new risk areas or requests for reviews are added as they arise. Its not just an annual process, Kidd says. We have a watching brief to see if there are any emerging risks that we need to be aware of and to budget for
How should internal audit ensure adequate coverage of risk and internal control within the business? Three HIAs explain what works in their organisations.
in any future audit plan. Internal audit then categorises these audits for possible review, depending on how highly management prioritises the risks related to them. We also speak to people across the business individually to validate whether risk registers are accurate and reflect the key risks their business areas face. At Travis Perkins, a company supplying the UK building and construction industry, the scope of internal audits work is set out in its audit charter.This defines what the function can and cannot do. It is ratified annually by the audit committee. According to David Finch, director of group business risk and assurance, this provides a go anywhere, look at anything remit. If internal audit is going to sit independently, it is best to set the charter and terms of reference aswide as possible, he says. Itallows us the freedom to do what we think is right for the role of internal audit. There are about 200 business risks on the companys risk register, ranging from general to specialist to unpredictable black swan risks.These are prioritised using a matrix, but Finch deliberately does not account for all of internal audits work in the audit plan. Instead, he leaves a contingency so that the appropriate extra resources can be made available if needed. At global hotel chain InterContinental Hotels Group (IHG), an integrated assurance model and risk-based internal audit approach helps the function to define its coverage. This integrated approach gives us a better idea of how other assurance providers understand risk, control it and deliver assurance, so we dont duplicate work, says Bruce Vincent, IHGs global head of internal audit. By understanding and assessing the effectiveness of the activities of other assurance providers, such as IT, legal and risk management, we can work out if we need to review some of these areas more deeply or if we can prioritise resources for reviews elsewhere. While the annual audit plan is prepared and approved by IHGs audit committee between August and December, the internal audit team makes continuous reassessments using a dynamic risk assessment model. Vincent says: This allows us to adjust the annual audit plan to take account of emerging risks and to reassess and reprioritise activities as and when required. Visit www.iia.org.uk/ casestudies to download the series of case studies that the IIA and the National Audit Office have published on internal audit practices. Useful guidance can also be found in the International Standards. Practice Advisory 2050-2 focuses on assurance mapping, while Standard 1000 and Practice Advisory 1000-1 cover purpose, authority and responsibility (bit.ly/ JNjK4R).
30
Agree the scope of your function with the audit committee and have it built into the audit charter. But try to leave some flexibility to enable your team to react to emerging risks. To minimise duplication and free resources for other areas, look at the range and depth of assurance given to management by your organisations other assurance providers. Understand managements risk priorities and ensure that work is aligned with these.
Achieve a full professional IIA qualification through a postgraduate study programme with the Centre for Internal Audit, Governance and Risk Management at Birmingham City Business School
Students attend our DUAL AWARD programme which offers exceptional value for money, through the provision of focused training which yields proven success and delivers a practical and career enhancing experience. We offer a unique programme of training which delivers membership of the Chartered Institute of Internal Auditors, subject to completion of the appropriate experience journal, in one of three modes, full time, block release or flexible learning*. The programme of study provides: - Single assessment for each module using both assignment and examination methods. - Teaching that reflects the IIA syllabus at Diploma and Advanced Diploma levels as well as adding value through real world industry and professional experience. - Significant visiting practitioner involvement in the delivery of each module. - A cost effective pathway to internal audit career development. Annual course fees for 2012/13 registrations are 7500 (full time) or 4500 (part time) and include all learning materials and subscription/examination fees payable to the IIA.
For further information, please visit our website: www.bcu.ac.uk/audit or contact us directly E: mscaudit@bcu.ac.uk T: 0121 331 6595 / 5623.
* Students may opt for a staged entry to study that recognises existing achievements and provides exemptions for relevant professional qualifications and will allow full qualification of CMIIA, subject to completion of the appropriate experience journal.
Nicola Rimmer Institute President elect Dr Ian Peters Institute Chief Executive Karl Snowden Chief Executive, Westminster Forum Rory Alsop President ISACA Scotland James Paterson Risk and Assurance Insights
Contact: Kati Fiebig Tel: +44 (0) 20 7819 1921 Email: kati.fiebig@iia.org.uk
Career development
A job interview is a great chance for an internal auditor to demonstrate some of their most valuable skills. Paul Goodman explains how.
appropriate weight of delivery is a key abilityfor an internal auditor and can be an important factor in their long-term career progression, Goodman says. The level of detail and relevance of content that the interviewee provides to questions will, therefore, give the interviewer a valuable insight into their skills in this area. Preparation here is key, then, although this should not be confused with rehearsingascript. If you over-prepare, yourisk sacrificing that valuable rapport, and explaining past career moves.Yet you must also be mindful of details that are specific to internal audit. Goodman explains: Internal auditors need to think carefully before the interview about the risks that their organisation faces and those of the recruiting company. Be prepared to explore your thoughts about possible audit approaches and what relevant experience you have. Such discussions offer internal auditors areal opportunity to sell themselves something that Goodman believes can be a weak point. Internal auditors often make toolittle of the fact that they must understandbusiness and operational strategy in order to deliver results, he says. If you emphasise this, it will enable you to be more expansive in your answers.You can demonstrate that you have a broad commercial grasp, rather than purely a knowledge of risk and audit technique. Most important of all in an interview is to think carefully about what the interviewer is looking for and shape your answers and approach accordingly. Ultimately, interviewers are trying to find out if you can do the job, if you want to do it and if you can fit in, Goodman says. Put yourself in their shoes and think how you can convince them that you can, you do and you will.Then you will have the edge over the competition. Paul Goodman is the founder of Goodman Masson, the largest independent financial recruiter in the UK. The company covers, among other areas, accounting, tax, audit, risk and management consultancy. He can be contacted at paul.goodman@goodmanmasson.com
32
Job candidates tend to spend a disproportionate amount of time researching companies rather than thinking about themselves
Goodmanwarns. And, while preparation should be comprehensive, its important toplace the focus on yourself your experience, abilities and ambitions. Job candidates tend to spend a disproportionate amount of time researching companies rather than thinking about themselves, he says. Its often why they ramble when asked simple, predictable questions but give brilliantly thought-out answers about the latest set of results. Internal auditors shouldnt underestimate the importance of dealing effectively with the kind of stock interview questions they expect: talking the interviewer through their CV, describing their strengths and weaknesses,
Question time
An interviewer can also spot a talented internal auditor by the manner in which they answer his or her questions. Most candidates will have the knowledge and experience to respond with the correct information, but delivering the right level of detail, without over-simplification or digression, is harder. The ability to summarise key audit points and recommendations with the
You asked us
Q&A
Our technical helpline provides valuable advice to members on ahost of professional issues. Hereare some of the questions youve submitted recently.
Q. We are creating a new audit committee and I would appreciate some pointers on the ideal combination of skills. A. In its 2010 guidance on audit committees, the Financial Reporting Council suggests that the audit committee should have at least one member with a professional accountancy qualification.This makes sense, given that theres a good deal of financial content to the work of an audit committee. Other than that, there is no standard or ideal mix of skills and, in practice, you can work out the range of the skills that best suits your organisation.You might, for example, include skills relating to governance, risk management, internal control, IT or regulatory compliance.There are many options and no limit to this. For example, some housing associations appoint a tenant representative to their audit committees. Lastly, its important to consider attributes as well as skills. Audit committee members should have true independence and the ability to challenge management.They must also be free from any conflict of interest. Q. I am about to begin a review of information governance. Do you have any resources that might help me? A. Id recommend the global technology auditguides (the GTAG series of practice guides). In particular, GTAG15 (issued in June 2010) covers information security governance and the role of internal audit. It includes advice on how to plan audit reviews and the test that you can perform. But there
are others in the series that may also help you. Visit bit.ly/GTAGs for details. Q. I need some technical advice about audit needs assessments. Are any relevant publications available to members in the IIA resource library? A.There are two sources of information that may help you.The first is a series of case studies that the IIA has prepared on behalf of the National Audit Office, which look at how internal audit is planned and delivered (www.iia.org.uk/casestudies).These tell us that internal audit activities assess audit needs by talking to their stakeholders and providing assurance on high-priority risks. Resources are set according to how far the audit committee wants internal audit to go down the list of risk priorities. The second source of information is a set of six research reports issued by IIA Global in 2011, based on a survey of nearly 14,000 members worldwide.The fourth of these, Whats next for internal auditing , highlights where internal audit activities focus their time and the engagements internal auditors expect to be performing in the near future. You can find all the reports on the IIAs benchmarking page (bit.ly/IIAbenchmarking). Q. According to Practice Advisory 2010-2, Using the risk management process in internal audit planning, internal
auditors audit key controls and provide assurance on the management of significant risks. But the global position paper entitled The role of internal auditing in enterprise-wide risk management says that internal audit should not provide management assurance on risks. Can you explain the apparent conflict between the two positions? A. I can see how this might cause confusion, so Ill try to give a short and simple explanation. Management is responsible for identifying, assessing and responding to risk. In the process, some managers will provide assurance that these responses are working effectively. Theymight include line managers (we call this the first line of defence) or staff in a risk or compliance team (the second line). Both the first and the second lines of defence are, therefore, part of the organisations management structure. Thestatement you cite from the position paper means that internal audit should not adopt a management role. In other words, itshouldnt hold management responsibility for risk, including management assurance the second line of defence. The value that internal audit brings to an organisation is independent and objective assurance (the third line of defence), giving the audit committee an unbiased opinion on the effectiveness of risk responses.This assurance covers how effectively the organisation assesses and manages its risks and includes assurance on the ways in which the first and second lines of defence operate. This assurance encompasses all elements of an organisations risk management framework, from risk identification and assessment processes to the internal control system as a response to mitigating risks. ot a question? G Contact Chris Baker on the IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk
33
IIA UPDATE
CPD accreditation scheme to benefit members and theiremployers
Under a scheme launched in September, organisations that employ IIA members and support their professional development can be accredited as such, formally recognising their commitment to CPD. Members working for an accredited employer are exempt from the annual monitoring process. Accredited employers demonstrate that their staff have appropriate opportunities to address their development needs; are supported and encouraged to undertake relevant activity; and are required to reflect upon the outcomes, benefits and further development opportunities, said Steve Rainbird, qualifications and professional development manager with the institute. The process involves an independent review of the organisations structure, as well as the internal audit teams roles. BT Group was one the first employers to sign up. Grant Harrison, head of internal audit operations in its internal audit division, said: By subscribing, we are demonstrating not only to the existing members of our team, but also to potential recruits our commitment to supporting the achievement of professional excellence. To find out more about the scheme, visit bit.ly/IIA_CPD
Amyas Morse, comptroller and auditor-general at the National Audit Office, delivered the keynote address.
34
Agency, who won the Charles Duly prize for the best overall mark in the Diploma exams. She said: I am proud to receive an award, but credit the excellent tutors who inspired and helped me during my studies. Alastair Foster CMIIA of RSM Tenon, who won the Peter Hook prize for the best overall mark in the Advanced Diploma exams. He said: Its great to be recognised for the effort you put into the exams. The qualification is rewarding enough, knowing how respected it is, so the prize is the icing on the cake. In addition, this years J J Morris award for distinguished service was given to past president DrSarah Blackburn CFIIA, managing director of the Wayside Network. She said: Iamdeeply honoured to receive the award and I thank the president and council for nominating me. But of course hundreds of people were involved in getting the institute to chartered status, both staff and volunteers, plus well-wishers from many other institutes and organisations who supported us. Iaccept this award on behalf of everyone who helped us to move Forward chartered. Lastly, the IIAs annual special award went to Jim Thomson CMIIA, who has been active in the Scottish Region for over 37 years.
The PDC is responsible for overseeing strategy relating to education principally qualifications, CPD and technical guidance
IIA Global has appointed Phil Tarling CFIIA as its new chairman. Tarling (pictured) is a long-standing member and a past president of the IIA in the UK and Ireland. He has more than 25 years of experience in internal audit, finance and budgetary roles, including two decades as a head of internal audit. As chairman for 2012-13, Tarling will act as IIA Globals chief spokesman. He will lead its strategic initiatives and advocate the advancement of the institute and the internal audit profession worldwide. Visit visit bit.ly/IIA_Chairman to hear more from him about the role of the internal auditor and to find out more about his chosen theme for his chairmanship: Say it right.
After an election for members of the IIA Council, four directors will join at the AGM in October. Phil Byrne, Grant Morrison and Neil Hart will take office for terms of up to three years and Pamela McDonald has been elected for an extra three-year term. Neil Hart CFIIA is recently retired, having spent most of his career in central government audit, including being HIA for the Forensic Science Service and the Immigration Services Commissioner. Grant Morrison CMIIA is HIA at Alliance Trust, the largest generalist UKinvestment trust bymarket value listedon the London Stock Exchange. Phil Byrne CMIIA is internal audit manager at HMRC and has been on the IIA North East committee for the past two years. Pamela McDonald PIIA was originally elected to the Council in 2008 and is also a member of the IIA Ireland committee. Sheis currently the internal auditor in OurLadys Childrens Hospital, Crumlin, and has over 20 years of experience working in internal audit. The next round of nominations will be held in spring 2013.
35
Clark, Peter RBS Group Clarke, Stephen Ashby, Claire Bath and North East Southbank Centre Somerset Council Ashford, Natasha Clifford, Barry Fife Regional Council SSE Renewables Atkinson, Neil Coughlan, Alexandra Department for Work Veritau andPensions Craddock, Victoria Benmaamar, Sobh St Jamess Place Subsea 7 WealthManagement Bowe, Jeffrey Crook, Emma Department for Work RSM Tenon andPensions Cunning, Joan Brown, Stewart Department of Finance Scott Moncrieff andPersonnel (NI) Coogan, Stuart Davidson-Dell, Simon Deloitte & Touche Centrica Energy Upstream Cook, Gillian Dean, Anthony Department for Work London Borough andPensions ofHillingdon Cooper, Darren Del Greco, Gabriella Department for Work Deloitte & Touche andPensions Dennis, Hannah Davies, Victoria RSM Tenon TIAA Dolan, Paul Denny, Gemma RSA Insurance Ireland Grant Thornton Downer, Stephen Ellis, Matthew DSSO RSM Tenon Fahy, Paul France, Wesley Liberty Insurance Telford & Wrekin Council Fiddes, Carolyn Furness, Jon Friends Life Department for Work Flack, Alistair andPensions Aviva Goodman, Melanie Fleming, Ian Bridgend County Department of Agriculture Borough Council and Rural Development Gould, Sara Forster, Erin States of Guernsey RBS Group Grace, John Peter Fraser, Heather Birmingham City Council Northamptonshire Greenbeck, Fiona County Council Grant Thornton Hadfield, Barry Hamel, Brian Friends Life PricewaterhouseCoopers Harper, Jennifer Ceska republika Department of Agriculture Hastie, Hazel and Rural Development Fife Council Heasley, Roger Hellary, Daniel Department of Agriculture Britvic and Rural Development Hewitt, Paul Jackson, Peter JD Wetherspoons BGL Group Hodson, Lisa Jolliffe, Hayley Denbighshire Government CountyCouncil Procurement Service Hunter, Michael Julyan, Barry Diploma (PIIA) Department for Liverpool Victoria Adeoye, Andrew Education Friendly Society Ernst & Young Ilczuk, Ania Kelly, Elizabeth Ali, Mushtaq Prudential Department for SRS17337-BarSim-BannerStrip-May12:SRS17330-BarSim-DPS-Mar11 Transport for London Jimenez, Lucia RegionalDevelopment Atkinson, Andrea Bupa Kendall, George Ministry of Defence Johnson, David NFU Mutual Bramley, Sharon Khan, Shammi Department for Hartlepool Trafford Metropolitan International BoroughCouncil Borough Council Development Bromage, Andrew Killen, Melanie Jones, Philip Derry Central Library Worcester City Council Ministry of Defence
36
Jugessur, Rhiannon Fortis UK Khan, Addiba HSBC Kitchin, Julie Jobcentre Plus Kumi, Anthony RSM Tenon Lamb, David Aylesbury Vale DistrictCouncil Lefevre, Irene Cigna Life Insurance Company McHugh, Matthew Deloitte & Touche Melluish, Helen Department for Work andPensions Moloney, Kevin South Coast Audit Murray, Fiona Birmingham City Council Pickering, Garry The Phoenix Group Ranger, Neil Xafinity Rashid, Shahid HM Revenue & Customs Safi, Irfan BT Group Salamon, Barbara Tearfund Self, Sarah Scottish Government Sharpin, Linda Tradex Insurance Shireen, Sidrah Global Crossing Slimming, James Towergate Partnership Stirling, Alexis Aberdeen Asset Management Thomas, Lisa Denbighshire CountyCouncil Tomkys, Nicholas RSM Tenon Viggers, Roderick BBSRC White, Pinar The Automobile Association Woods, Tracey
Lacy, Kelly Ann Home Office Lawes, Amanda Royal Borough of Windsor and Maidenhead Liveston, Kirsty Scott Moncrieff Lyons, Mark Travelex UK Martin, Edward Veritau McCarthy, Conor University College Cork McDowell, Andrew Schroders McGrath, Paul Simon Axa Sun Life AssuranceSociety McKenna, Fiona Department of Agriculture and Rural Development McNeil, Isobel Scottish Government Mearns, Vicki Department for RegionalDevelopment Mennear, Catherine Communities and LocalGovernment Metcalfe, James Essex County Council Miles, Neil Lha-Asra Group OKane, Stephen Northern Ireland Water Ovard, Neil John Warwickshire CountyCouncil Raine, Linsey Northumbria Internal Audit Rice, Michael Hansard Europe Robinson, James TD Direct Investing Saxton, Nigel American International Group Scott, Gavin The Aster Group Self, Sarah Scottish Government Semken, Timothy Veritau Shepherd, Anna Falkland Islands Government Shirley, Lana Transport for London Sloman, Anne Vale of Glamorgan Council Smith, Claire Business Services 17/4/12 Organisation 12:11 Snell, Mark Street, Anna Liverpool PCT Taperell, Alice ABC Taylor, Angela Yorkshire Building Society
Thomas, Elizabeth Deloitte & Touche Townsend, Jason Capita Life & PensionServices Towse, Mark Capital One (Europe) Trevallion, Nicola RSM Tenon Wood, Chris BT Group Yardley, Caroline Stockport Metropolitan Borough Council
Certificate (IACert)
Anwar, Irfan Department for Work andPensions Bagnall, Andrew GlaxoSmithKline Barker, David International Personal Finance Bird, Graham DX Group Bonner, Joanna Defence Internal Audit Boyle, Una Daikin Airconditioning Brown, Gerard Student Loans Company Byers-Coleman, Janet Met Office Carr-Jones, Roger English Heritage Clarke, Anulka Information Commissioners Office Clegg, Richard Ministry of Defence Dominey, Maria Information Commissioners Office Drury, Paul Transport for London Duncan, Liam Information Commissioners Office Heath, Victoria Information Commissioners Office Heaton, Janet Lloyds Pharmacy Hennessy, Laura Information Commissioners Office Honour, Steve Johnson, Keith Ecclesiastical Insurance Page 1John-Pierre Lamb, Information Commissioners Office Littler, Christopher Information Commissioners Office Mangan, Thomas Fin Sec & Audit
Matthews, Anthony HSBC McAllister, Penelope Jobcentre Plus McLuckie-Townsend, Jane Department for Work andPensions Moore, Bal Jobcentre Plus Moss, Katharine Katharine Moss Consulting Neal, Gareth Information Commissioners Office Oatway, Derek Horton Housing Association Pickering, Michelle Nationwide Quantick, Danielle General Dynamics UK Rawcliffe, Heather Department for Work andPensions Sheldon, Jennifer Bibby Distribution Stone, Jolyon Information Commissioners Office Tonks, Annette Ministry of Defence Topping, Karen Webb, Richard AWE Webb, Debra AWE Willis, Clive Chaucer Syndicates
IT Auditing Certificate
Hoy, Lindsey Axa Insurance Jones, Matthew Ageas (UK) Ray, David Blackburn Borough Council Rosser, Arran Torfaen County BoroughCouncil Solomon, Martyn Euler Hermes UK To find out how you can become qualified with the IIA,call 020 7498 0101, visit www.iia.org.uk or email studentsupport@iia.org.uk Disclaimer: although every effort has been made to ensure the accuracy of the above information, theChartered Institute of Internal Auditors accepts no responsibility for any errors or omissions.
Working with aspiring members of The Chartered Institute of Internal Auditors since 1989
Student noticeboard
Student noticeboard
Essential information for exam candidates. Visit the Student information centre at www.iia.org.uk for updates.
length of time for which the candidate will need special arrangements and confirm the required proportion of extra time required. Students who require special arrangements should ensure that they review the latest version of the policy, which can be found at www.iia.org.uk under Regulations and policiesin the Student information centre. Submissions must be made before any examentry application. registered to sit the November exams. Candidates will be required to present a copy of this, as well as a photographic identity document, on entry to the exam room. If you have not received your correspondence by 5 November, contact exams@iia.org.uk or call the assessment coordinator, Aneta Zieba, on 020 7819 1928. Pre-exam instructions will also be made available on 29October in the Student information centre at www.iia.org.uk. The authorityto-sit correspondence will remind students to read these instructions in the run-up to the exams. Further information about your exam venue is also
37
Authority-to-sit correspondence
Correspondence will be sent on 29 October to students
>
Student noticeboard
<
Submission of professional experience journals (PEJs)
Individuals who have completed the theory modules of the IIA Diploma or IIA Advanced Diploma are encouraged to submit their PEJs as soon as possible ideally, electronically. Assessment of PEJs is completed within four weeks and successful submissions result in the award of the relevant designation. By submitting PEJs electronically and also requesting that signatories for their professional experience endorse such submissions electronically, it should save members and the institute time and money. Further information on the submission of PEJs, including the latest versions, can be found on the Qualifications and CPD pages of the IIA website under Completing your qualification .
For further information or to book, click the Training and events tab at www.iia.org.uk, email trainingandevents@iia.org.uk or call 020 7498 0101. IIA regional events and special-interest groups should be booked directly with the organiser using the contact details provided.
18
19-20 20
9-10
38
Heads of internal audit forum: Mergers and acquisitions opportunities and threats London
9-11 10 10
25-26
11
IIA annual conference 2012: Demanding the best from internal audit London
26 26 27
11
11-13 12 12
11
IIA Wales Cymru: How to catch a thief fraud, theft, risk management and internal audit Wrexham
john.thomasson@iia.org.uk
Seminar: Implementing thecloud benefits, challenges and risks for internal audit london
16
October
2-3
Leading the audit team London
13-14
16
39
16-17 17
18 18
25
IIA North East: Fraud focus kicking fraud into touchforever? WAKEFIELD
juliewinham@barnsley.gov.uk
14
IIA Wales Cymru: How to catch athief: fraud, theft, risk management and internal audit Cardiff
john.thomasson@iia.org.uk
31
17 17
18-19 19 24
HIAS forum: Social media risk and the impact on organisations london
November
1-2 9
IIA Scotland annual conference Dunblane
dawn.mcinnes@iia.org.uk
How to audit procurement Dublin Fraud risk and the internalauditor LONDon
IIA regions and specialinterest groups may include details of their upcoming events by contacting trainingandevents@iia.org.uk
17-18
The deadline for the November/December issue of Audit & Risk is 17 September.
Internal Auditor
35,938 - 38,140 pa with further progression to 41,639 pa on achieving designated skills and experience An exciting internal audit opportunity is available to an enthusiastic and motivated individual who thrives in a culture of change working within, and supporting, the University of Hertfordshire. The Internal Audit Service is responsible for evaluating and reporting the University groups arrangements for risk management, control and governance, value for money and providing assurance to the Governing Body and the Vice Chancellor. You will preferably be a qualified or part-qualified member of the Chartered Institute of Internal Auditors or a recognised professional accountancy body. You will have recent extensive experience of delivering a range of risk-based internal audit assignments. You will be able to work under pressure to tight deadlines and possess good communication skills, strong analytical and evaluation ability and good planning and organisational skills. Good report writing is essential. You will be able to deal confidently with senior management of the University group, staff at all levels in the academic and professional Strategic Business Units and the Universitys Audit Committee.
Under current UKBA regulations, the University is unlikely to be able to get a work permit in respect of this post. We can therefore only accept applications from people who will have the right to work in the UK for at least one year from the date of appointment. The University offers a range of benefits including a final salary pension scheme, professional development, family friendly policies, child care vouchers, waiving of course fees for the children of staff at UH, discounted memberships at the Hertfordshire Sports Village and generous annual leave.
Ref: 009109CIIA
For more information, visit www.iia.org.uk/crma or alternatively call 020 7819 1939.
Roles
SAP Manager - London An exciting opportunity to help the firms SAP audit delivery capability to expand. You will have the opportunity to contribute to our methodologies, and to train and develop members of the team. The role requires strong organisational and communication skills and will provide the successful candidate with the opportunity to take responsibility for a wide-ranging existing SAP assurance client base, covering many sectors. Successful candidates will have strong technical expertise in SAP modules, and in performing BASIS reviews, segregation of duty assessments and data extraction analysis. IT Audit Executive Various office locations As the primary point of contact during field work you will be responsible for ensuring that all IT assurance work is carried out to the highest standard. This is a fantastic opportunity for experienced auditors (IT or financial audit) to join a successful and growing team. With exposure to a wide range of clients and a structured training programme in place you can look forward to growing a successful career. Experience We would like to hear from dynamic individuals with a passion for furthering their career within IT audit. For all roles successful candidates will hold either a professional accounting qualification (ACCA, ACA) or be qualified and experienced in IT audit (CISA, QiCA, CISM, IIA). Practice experience is desirable. To apply please visit grant-thornton.co.uk/careers quoting GT2459 for the SAP manager and GT2365 for the IT Audit Executive.
Background
Our Technology Risk Services team has ambitious growth plans and as a result we have new opportunities for aspiring individuals to join this highly respected team. You will join a refreshingly open and supportive environment where you can make a real difference. We pride ourselves on a creative culture that promotes independent thinking and rewards innovation.
grant-thornton.co.uk/careers
2012 Grant Thornton UK LLP. All rights reserved. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd. Grant Thornton International Ltd and the member firms are not a worldwide partnership. Services are delivered independently by member firms. Full disclaimer available at grant-thornton.co.uk
An opportunity has arisen for a Senior Auditor to work in a historical Financial Services organisation in the heart of the City. You will be given exposure across the whole business, coupled with fantastic opportunities for internal promotion and movement into the business. Excellent academics and a relevant professional qualification are essential and experience in prudential regulations e.g. Basel III and Solvency II will be highly advantageous.
Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte aw@barclaysimpson.com
www.barclaysimpson.com/interimsolutions
For further information on this role please contact Daniel Flynn at df@barclaysimpson.com for the UK based role and Daniel Close at dc@barclaysimpson.com for the US based role.
Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW bs@barclaysimpson.com www.barclaysimpson.com
www.barclaysimpson.com