Issue 7 September/October 2012

The magazine of the Chartered Institute of Internal Auditors

A place on the podium

Top-quality risk assurance had to play its part in the success of London 2012. And MaryHardy delivered just that

Issue 7 September/October 2012

The big pay-off: what impact has the Bribery Act 2010 had in its first year in force? Takeover bid: why internal audit should play a bigger role in mergers and acquisitions Like it (or not): dealing with the business risks of Facebook andTwitter

 a.  a thorough reversal of outdated technology and complete adoption of TeamMate

TeamMate is still the Innovation Leader after all these years:

The first Windows based Audit Management System in the world The first Audit Management System to introduce Smart Device functionality

 b.  a fundamental change in your audit approach; especially the overthrow or renunciation of one system substituted by TeamMate  c.  a changeover in use or preference especially in Audit Management Systems

<the TeamMate Revolution>

The Global Leader in Audit Management

Risk Assessment Risk Based Planning Scheduling Extensive Audit Content Electronic Workpapers Surveys Checklists Image Scanning & Annotation Automated Report Generation Full Issue Remediation Tracking Time & Expense Tracking

# o  f audit departments adopting TeamMate each day # o  f Languages in which TeamMate is available # o  f Countries in which TeamMate is Licensed # o  f auditors using TeamMate daily #  of CPD hours delivered in past 3 years

1 14 105

90,000 104,000

020 7981 0566

Contents
Issue 7 September/October 2012

Issue 7 September/October 2012

The magazine of the Chartered Institute of Internal Auditors

A place on the podium

Top-quality risk assurance had to play its part in the success of London 2012. And Mary Hardy delivered just that

18

The big pay-off: what impact has the Bribery Act 2010 had in its first year in force? Takeover bid: why internal audit should play a bigger role in mergers and acquisitions Like it (or not): dealing with the business risks of Facebook andTwitter

22 26

18
Front
3 The IIA view
From the CEO, Ian Peters.

Published for the Chartered Institute of Internal Auditors byCaspian Media Ltd, Unit G4, Harbour Yard, Chelsea Harbour, London SW10 0XD 020 7045 7500 Editors Keith Ryan keith.ryan@caspianmedia.com 020 7045 7543 Alice Hoey alice.hoey@caspianmedia.com 020 7045 7554 Chartered Institute of Internal Auditors info@iia.org.uk www.iia.org.uk 020 7498 0101 Subscriptions membership@iia.org.uk 020 7498 0101 Advertising Ian Mehrer ian.mehrer@caspianmedia.com 020 7045 7596 Creative director Nick Dixon Art editor David Twardawa Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited. ISSN 2048-8408.

Features
14 Running rings around risk
Mary Hardy, head of riskassurance for London 2012, on rising to the Olympic challenge.

REGULARS
30 Tools for the job
Resources, books and advice to help you perform.

5 World view
From Richard Chambers, IIA Global president and CEO.

32 Career development tips

How best to sell your skills in a job interview.

7 View from the top

Carolyn Dittmeier, president of the European Confederation of Institutes of Internal Auditing.

18 Your move
Why internal audit should get more involved in mergers and acquisitions.

33 You asked us
Experts answer readers technical questions.

8 Update
The latest news affecting the profession.

22 The Bribery Act 2010: one year on

How effective is the legislation proving so far and how have businesses adapted to the new rules?

34 IIA update
Institute news and membership matters.

10 Vital statistics
Thomson Reuters study of the state of the function.

36 Student noticeboard
Essential information for exam candidates.

12 Conference preview
A guide to the highlights.

26 Socially acceptablerisks
Why Facebook and Twitter are an internal audit matter.

38 Courses and events

Key training dates.

Enclosed in this issue: Essential to Success

The institutes strategy and achievements in 2011-12.

We post more articles online every week at www.auditandrisk.org.uk

VISION INNOVATION VALUE

Continually striving to deliver business assurance and best practice providing: High quality software products  Vital training courses and educational seminars  Customised comprehensive consultancy services

Exclusive distributors in UK and Ireland for:

For further information call us on +44 (0)1892 512348 or check out our web site at www.auditware.co.uk

View from the IIA

Cultural change internal audits key role

After all the bad news involving banks, the institutes initiative to produce guidance for the financial services sectorsinternal audit is one positive development.
Ian Peters, chief executive of the IIA
They say that bad news comes in threes and the most recent set of banking fiascoshas been no exception. First, the Financial Services Authority (FSA) found banks guilty of mis-selling insurance for small business loans. Next there was the ITmeltdown that caused enormous problems for millions of bank customers. And then the Libor rate-fixing scandal completed the trio, making June to July whatsome commentators have called the worst period for the industry since the start ofthe financial crisis five years ago. The involvement of a number of banks inattempts to manipulate Libor has, in particular, intensified the debate about the change of culture thats needed and the importance to achieving good corporate governance of establishing the right tone atthe top.There is growing pressure on bankboards to drive this change in culture inorder to ensure that more ethical and transparent behaviour permeates their organisations.This is good news for internalauditors, whohave an essential role to play as the eyes and ears of the board. Theindustrys regulators are providing a stronger and clearer context for our profession to play thatrole. The regulators are recognising that an effective internal audit function, with greaterinfluence and more effective relationships with executive management, boards and regulators, is key to good corporate governance. The global banking regulator, the Basel Committee on Banking Supervision, recently published its principles for internal audit in banks.This followed a public consultation to which a number of national institutes of internal audit around the world responded, including the chartered institute. The 20 principles set out by the committee represent a clearblueprint for a more effective internal audit function. The Basel principles reference the IIAs International Standards. Inthe UK, meanwhile, there is agreement in the financial sector that more specific guidance to support theStandards could be of substantial benefit. So, with the backing of the Bank of England and the FSA, the institute has embarked on an initiative to develop internal audit stakeholders in the financial services industry. I am delighted that Roger Marshall has accepted our invitation to chair the committee. He serves on several boards, as well as being chairman of the audit committee of Old Mutual, an international savings, investment and protection group. He is also amember of the Financial Reporting Councils board and chairs its accounting council, which sets accounting standards in the UK. The level of endorsement we have received from the regulator and throughout the sector for the development of this guidance underlines its significance for the profession and the industry. As well as having support in the UK, we have the backing of IIA Global. It,and no doubt the global regulatory community, will be watching our progress carefully to see what might be learned for internal audit in other key financial sectors around the world. We will be keeping members up to date on the progress of this key initiative through the pages of A&R, with all the latest information posted online (www.auditandrisk.org.uk). And for more details about our strategy and achievements in 2011-12, please see Essential to Success, included with this issue.

The involvement of a number of banks in attempts to manipulate Libor has intensified the debate about the change of culture thats needed
guidance for the sector, which will build on the International Standards.The production of the guidance will be overseen by a committee comprising representatives of the internal audit profession and key

HAVE YOUR SAY

Post your comments about this article or the issues raised at www.auditandrisk.org.uk

T h r e e w e e k s t og o h a v e y o ur e g i s t e r e dy e t ? R e g i s t e r n o wf o r t w oo r mo r e d e l e g a t e s a n d r e c e i v e a 1 0 %d i s c o u n t ! T h e 2 0 1 2c o n f e r e n c e b r i n g s t o g e t h e r l e a d i n g i n t e r n a l a u d i t p r o f e s s i o n a l s , b u s i n e s s e x p e r t s a n db e s t p r a c t i c e o r g a n i s a t i o n s a c r o s s a l l s e c t o r s .C r e a t e a p r o g r a mme t h a t s u i t s y o ua n dl e a v e w i t ht h e t o o l s , t i p s a n d a d v i c e t or e s o l v e y o u r i n t e r n a l a u d i t i s s u e s w h e ny o ur e t u r nt ow o r k .

View from IIA Global

Reshaping internal audit trends to watch

Many internal audit functions are increasing headcounts and budgets, but chief audit executives are looking for different skills from those they sought a year ago.
Richard Chambers, president and CEO of IIA Global
One of IIA Globals priorities is to monitor the trends and emerging issues affecting the profession around the world. Hardly a week goes by without a new research report crossing my desk, giving fresh insight into internal audit practices. One from our own Audit Executive Center has been particularly enlightening.Titled The pulse of the profession: with progress noted, opportunities are still abundant , it highlights not only changes that the profession has undergone in recent years, but also implications for how it must change in the future. It points to a number of areas where we can enhance our performance and stature as a profession.The first is audit committees oversight of internal audit. Internal auditors have made great strides over the past decade in building reporting relationships with their audit committees. Recent studies show that this progress is continuing, yet they also raise troubling questions about the level of oversight. While most internal audit groups report functionally to an audit committee, only 38 per cent of committees are involved in setting performance objectives for chief audit executives (CAEs) and only about half receive regular updates about internal audit quality-improvement programmes. Audit committees are charged with overseeing us, but our failure to involve them in setting our objectives, evaluating our performance and improving our quality may be making it impossible for them to do this effectively. Even when it comes to ensuring management support for internal auditing, more work may be needed. Audit committees in 72 per cent of organisations make sure that the CAE receives management support , according to the survey, but it also reveals that only 24 per cent of audit committees ensure that the CAE is involved in key strategic initiatives. If the audit committee doesnt assume strong oversight over the CAE, whose fault is it and what should be done? Only when the audit committee and management are fully informed of their responsibilities and armed with the information they need can they be expected to fulfil their oversight and support duties properly. The survey also highlights the fact that, while internal audit teams sizes have stabilised, the skills they require have changed.The profession has come through the economic crisis relatively unscathed and many internal different skills, many of which dont relate to accounting. Skills needing most improvement include relationship building, negotiation, conflict resolution, presentation and handling high-level meetings. Lastly, the report says that, while our stakeholders have enhanced their understanding of internal controls, we may still not see eye to eye on important risks. As it points out, several studies show that internal audit plans seem to address key risks identified by boards, audit committees and management, but the allocation of internal audit resources may not reflect the priorities of the board and management. For example, coverage of strategic risks and the effectiveness of risk management remains low, despite their impact in recent years. In other areas, internal audit may be overestimating risks. For most organisations, it seems that the dialogue on risks and controls has advanced to the point that management, boards and auditors agree on areas of potential risk butnot yet to where they agree on the extent or possible impact of individual risks. Although these arent the only issues affecting internal audit, they do warrant our immediate attention. I will continue to update you on the emerging issues facing our profession, so that you can address them in your organisations.

If the audit committee doesnt assume strong oversight, whose fault is it?
audit teams are increasing headcounts and budgets, but CAEs are looking for different skills from those they sought a year ago. Then they preferred candidates with industry-specific knowledge. Now they want critical thinkers or excellent communicators. Todays audit plans are the most balanced they have been for a decade, since SarbanesOxley and similar legislation led to a demand for financial auditing knowledge. With this shift in priorities has come a demand for

For further information

Richard Chambers writes a blog at www.theiia.org/blogs/chambers and tweets at www.twitter.com/rfchambers

IIA Partner Feature

Just auditors or business executives?

How internal audit departments develop great people
This is a great time to be in the internal audit profession. With the challenges of technological advancement, globalisation, increased regulation, heightened competition for staff and an uncertain global economy raining in from all sides, many companies are re-examining their long-term plans and, in particular, how to get the most out of their internal audit function. As well as ensuring that there is a robust internal audit function in place, leading companies are looking to build a stronger risk and control culture throughout the organisation. For internal audit professionals who often have a unique insight into the inner workings of an organisation, this translates into great opportunities to develop their careers in other areas of the business. Volume VIII of Protivitis Internal Auditing Around the World series proles eight organisations leaders in industries as diverse as energy, healthcare, nancial services and industrial products that are exposing their people to internal audit as a key part of their training and development. One prevalent theme stands out from the proles: internal auditors are gaining valuable exposure to other parts of the business. There is no doubt that this will increase the value being provided by internal audit. At Protiviti we help internal audit leaders develop their people into business executives with a thorough grounding in governance, risk and control. To learn more, visit www.protiviti.com/iaworld or contact lindsay.dart@protiviti.co.uk.

2012 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting rm and does not issue opinions on nancial statements or offer attestation services. PRO-0812

View from the top

Corporate governance one size fits all?

Rather than be the inspector that it once was, internal audit must be the adviser and risk specialist that it is today.
Carolyn Dittmeier, president of the European Confederation of Institutes of Internal Auditing

The European Confederation of Institutes of Internal Auditing represents national internal audit institutes in 36 countries andis part of IIA Global. One of our missions is to promote improvements to risk management, internal control and corporate governance systems among European organisations in all sectors. When trying to raise standards across the board, it can help us to look at the characteristics of sound corporate governance and internal control systems. Isthere a common factor? I believe we need a model that is not one size, but is fit for all a model that is fit for every single entity, yet has enough flexibility built in so that it doesnt prevent businesses from achieving their strategic objectives. So how can that work? First, lets look at the four attributes shared by all organisations with sound corporate governance and internal control systems: board responsibility, board competence, a risk framework and the three lines of defence (3Lod) model. Most internal auditors agree that the board or governing body of an enterprise assumes ultimate and full responsibility for its risk management and control.This is one size that does fit all. There is also consensus about the boards competence. Its members skills must be adequate and diverse enough to ensure the capability of its oversight over the commercial, financial and risk aspects of the organisations activities. But, while we may agree on what boards should be doing, experience tells us that not all of them are getting it right. We need to look at how the boards mandate is achieved in practice.This brings me to the third factor: the risk framework.To develop a sound corporate governance system, a board must adopt one

of the several available international frameworks on risk management. Doing so forces it to set the foundation for a structured process of risk management throughout the organisation.The one that I prefer the enterprise risk management framework gives the board the right structure for its internal control framework and the tools it needs in order to oversee this effectively. Butit tailors that framework to the business itself.

I believe we need a model that is fit for every single entity, yethas enough flexibility built in
There is one final minimum requirement on which consensus should be sought: 3Lod, which makes internal audit integral to the governance process and the success of an organisation. Internal auditors are experts in control and accountability and, time and again, their work shows that weak governance can arise where duties are excessively combined or are partially duplicated. If roles are not properly segregated or articulated, or if there is duplication, it can create confusion and a lack of accountability, which ultimately weakens

the governance objectives for which these roles were intended. Our research shows that the 3Lod model is highly effective where roles are made clear at the outset and resources are properly measured. Line management must, of course, assume a primary role and second-line functions must create checks and balances. But, left on their own, imbalances in risk management can arise, because there is a lackof integration in a true single mission anda unified risk governance.These imbalances can be detected by internal audit and brought to the boards attention. But, rather than be the inspector that it once was, internal audit must be the adviser and risk specialist that it is today. Studies have shown that a well-structured and properly resourced internal audit function can make an entity more resilient. Perhaps this is why 90 per cent of EU corporate governance codes require or recommend internal audit for independent assurance. So European organisations must create a corporate governance framework that meets the demand for proportionality, but forms the basis of rigorous internal governance, based on the four aspects of board responsibility, board competence, a risk framework and the 3Lod model. If this can be achieved, we will be well on our way to creating a common understanding of good corporate governance and a clearer role for internal audit.

Additional news, features and views are posted online all the time. Go to auditandrisk.org.uk to see whats new.

UPDATE
update for basel guide on internal audit supervision
The Basel Committee on Banking Supervision has issued revised supervisory guidance for assessing the effectiveness of internal audit in banks. The document, entitled The internal audit function in banks , builds on thecommittees principles for enhancing corporate governance, which require banks to havean internal auditfunction withsufficient authority,stature, independence, resources and access to the board. The new guidance replaces the 2001 document Internal audit in banks and the supervisors relationship withauditors .

We round up the latest business and regulatory news to affect the internal audit profession.
Global poll uncovers IT governance shortfalls
Nearly a quarter of respondents to a worldwide survey of IT security issues said that management had little involvement in IT governance. The poll, by the Information Systems Audit and Control Association (ISACA) also found that 22 per cent of organisations had experienced a security breach in the past 12 months, while 47 per cent had incurred an unexpected cost owing to an IT-related problem in that time.

Watchdog exposes failures to meet health and social care standards

More than a quarter of NHS and social care services in England are performing below standard, according to their regulator. The Care Quality Commission (CQC) inspected 14,000 sites, including hospitals, care homes and dental practices. Among the common problems it identified were the poor management of medicines and staff shortages. In total, 27 per cent of the 14,000 facilities inspected failed to meet at least one of the 16government standards covering health and social care.The inspections covered more than a third of the services for which the CQC has responsibility. Where problems were identified, managers were told to draw up plans to improve their performance. In130 cases, performance was sobad that the inspectors demanded urgent action. In some, this resulted in restrictions being placed on a service. The review which the CQC calls a market report is the first time that inspection data has been published this way. To download the CQCs market report, visit bit.ly/NQRYUx

To read ISACAs 2012 governance of enterprise IT survey, go to bit.ly/Q8gHDr

NAO criticises internal audit in Whitehall

The government is not getting full value from the 70m it spends on internal audit, according to the National Audit Office (NAO). Its report, The effectiveness of internal audit in central government , states that the service does not always focus on the right issues and is often not of sufficient quality to be useful to decision-makers. The NAO says expectations of internal audit are unclear, which leads to a wide variation in how standards are applied.This in turn means that the NAO is often not able to rely on internal audits work to support its own external audits. Internal audit also lacks sufficiently strongleadership and its performance acrossgovernment departments is not properly assessed, according to report. The IIA has published a series of case studies of internal audit in practice, which highlight the approaches that organisations including Transport for London, SABMiller, Travis Perkins and BT have taken to address issues such as risk-based internal auditing; auditing projects; allocating internal audit resources; and managing the relationship with the chair of the audit committee. Visit bit.ly/M6kdPJ to read the NAOs report. To read the IIAs case studies, visit www.iia.org.uk/casestudies

risk guide cautions UKboards

A new guide to risk for directors, by the Institute of Directors in association with Airmic, Chartis, PwC and Willis, has urged board members to improve their understanding and management of risk inorder to deliver growth and prevent crises in future.

To read the latest guidance, go to bit.ly/ OBqzIP

Business risk a practical guide for board members can be downloaded from bit.ly/PfCrzm

Public-sector managers overworked and stressed

Public-sector managers are working longer hours under more stressful conditions than they were five years ago, according to a poll by the Chartered Management Institute. Almost half (46 per cent) of the publicsector managers who responded to its Quality of working life 2012 survey said that their organisations were in decline, compared with 19 per cent of managers in the private sector and 18 per cent in the not-for-profit sector. The average manager in the public sector works about 48 days in unpaid overtime a year. Nearly a third (32 per cent) reported that their health had deteriorated in the past three months, with 43 per cent declining to take sick leave when they were ill. Just over 40 per cent of public-sector managers said they would leave if they thought they could find another job. To read the report, visit bit.ly/NCELKW

EC vows to clamp down on Libor rigging

The European commissioner for internal market and services, Michel Barnier, is planning to enact new regulations that would outlaw the manipulation of benchmark indexes such as Libor and Euribor. The move follows Barclays Banks record290m fine after it admitted to fixing Libor.The scandal forced the banks chief executive, Bob Diamond, to resign and to waive his bonus. Barnier will amend reforms to the EUrules against market abuse so thatpotential loopholes are closed. He calledthe falsification of such benchmark rates a betrayal with potentially systemicconsequences . We intend to close the regulatory gap in our proposed market-abuse legislation by including the direct manipulation of market indexes such as Libor, Barnier said. Anyonethinking of manipulating markets needs to know theyll face sanctions, including possibly criminal ones. For more details, visit bit.ly/bwdDU7

Government consults on remuneration reporting law

The Department of Business, Innovation andSkills is seeking views on its draft regulationsfor the content of directors remuneration reports. It has proposed that the directors remuneration report should contain two distinct parts: a policy report (to be produced only when there is a shareholder vote), which sets out allelements of a companys remuneration policy and key factors that were taken into account in settingthe policy; and an annual reporton how the policy was implemented in the preceding financial year, setting out actual payments to directors and details about the link between the companys performance and their pay. The deadline for comments is 26 September.The regulations are expected to take effect in October 2013. For further details, visit bit.ly/MpBzHb

Coso issues paper on cloud risks The Committee of Sponsoring Organizations of the Treadway Commission (Coso) has published guidance on how to follow the principles of Cosos integrated framework for assessing and mitigating the risks arising from cloud computing.
To download Enterprise risk management for cloud computing, visit www.coso.org

REPORTAGE
What do you spend most of your time on?
Assurance on internal control processes.
10

Thomson Reuters canvassed the views of more than 1,500 internal auditors witharange of backgroundsfrom around the world on the state of the function andthechallengesfacing it. The survey found an evolving profession, focused oninternalcontrol,ITsecurity, risk management, compliance and fraud.

83% 44% 34% 30% 24%

Time better spent

What should be your toppriorities?

Assurance on internal control processes. IT security. Strategic-level riskmanagement. Corporate governance. Process-level risk management.

66% 46% 38% 30% 29%

IT security. Process-level riskmanagement. Legal and regulatory risk. Protecting against fraud andcorruption.

Key challenges for the year ahead

Increased focus on risk and control. Changing business model.

The responses reflect the demands of increasing regulation, a renewed focus on fraud and corruption, a greater need for risk management and the pressure to achieve more with less.

57% 39%

Insufficient skilled resources. The need to implement more preventive controls.

39% 36%

Cost of resources. Insufficient management support.

30% 25%

Regulatory proposals to reform the audit market.

13%

Yet, despite the growing focus on risk, many organisations lack robust risk management processes.

How mature is your organisations risk management function?

45% Implemented, but requires extra work and resources. 19% In the development stage. 15% Immature. 12% Robust and embedded framework and resources. 9% We dont have a formal programme or resources.
Despite being strongly urged to have a formal compliance function by regulatory and enforcement bodies such as the Basel Committee on Banking Supervision, the FSA and the US Department of Justice, only 59% of those surveyed have one.

Audit committee, meet the board

Non-compliant on compliance

11

How frequently do the two get together?

63% Quarterly.

16% Monthly.

High marks for reporting

Reporting was rated as the most mature of all the processes surveyed.

41% of respondents said that their

reporting was robust and mature. Only 17% of those surveyed couldsay the same about their risk assessment programmes. To download the Thomson Reuters fullsurvey report, visit bit.ly/KBjjp8

Conference preview

Aiming high
Do you demand the best from your internal audit function? And, given the many and varied expectations of audit committees, executives and regulators, what does the best mean? These questions will form the starting point for the IIA annual conference and underpin an impressive programme of presentations, round-table discussions andinteractive break-out sessions.
Designed to provide inspiration and practical guidance, this years conference programme will also give members the opportunity to network and share experiences and ideas. Day one focuses on the changing regulatory environment, its impact on organisations and the potential role of internal audit. As board and stakeholder expectations concerning the importance of effective governance, risk management andcontrol have risen, how must the profession respond and what does that meanin practice? The Information Commissioners Officehas developed its own data protection audit programme and Graham sees internal audit as an important ally in the task of securing compliance. Together we need toembed information rights risks into the scope of internal audit, he says. who are really passionate about our business and what they do. Also offering guidance on best practice will be Ian Haldenby, internal audit director at HMRC and previously head of internal audit for both the Department of Education and the Home Office. Looking specifically at effective tools and techniques in internal audit, Haldenby will share his experience of working in the private and public sectors, and what helped and sometimes hindered his teams ability to deliver. Meanwhile, John Adlam, group chief internal auditor for Legal & General, will examine how internal auditors can deal with the unprecedented changes they are facing. Change equates to increased risk, he says. Internal audit is expert in risk and control; itmust be engaged in change initiatives. Adlam will emphasise the need, among other things, for internal audit to be proactive, take a partnership approach and add value. Demonstrating our worth is a constant challenge for the profession, especially in these difficult economic times, he says. We must demonstrate financial value and justify what we do. For more informAtion The 2012 IIA conference takes placeon 25-26 September at 1 Wimpole Street, London. To book your place, visitbit.ly/cryI7f

12

Tools of the job

Day two of the conference will focus on improving internal audit performance, featuringpractical advice on how to tackle specificprocesses and approaches concerning governance and compliance, such as assurance mapping and emerging risks such as cyber-crime. Speakers from a wide range of industries, sectors and backgrounds will share their views among them, Angela OHara of Vodafone. OHara will ask what a good audit department looks like in practice, drawing on her experience as the companys head of audit for northern Europe, in which she manages a team of 30 across eight countries and ten offices. While our transformation journey at Vodafone began before I joined the audit team, in the past two years we have radically changed our organisation structure, launched our own brand, built our own audit management tool and focused on our people, she says. Our success relies on having the right people with the right skills

The big debate

The first panel discussion will include Christopher Graham, the UK information commissioner; Judith Hackitt, chair of the Health and Safety Executive; and Rosemary Hilary, director and head of internal audit at the Financial Services Authority.They will provide an overview of key regulatory changes and challenges, drawing on their wealth of experience to give perspectives from their respective sectors. Data protection presents businesses with both opportunities and risks. Getting it rightis of increasing importance from both the reputational and the regulatory point of view, Graham says. Get it right and you gain efficiencies and better customer relationships and service. Get it wrong and youre in trouble with your customers and shareholders and with the regulator.

Comprehensive Audit & Risk Management Software

Where will you be using Pentana Vision?

Pentana Vision

Global audit management software

Modern screen design that operates globally over a range of network speeds without the restrictions of a browser interface Flexible audit planning by organisational structure & process Home screen identification of items for your action and review In-built audit methodology and audit report templates Simple deployment and automatic software updates Audit work can be focussed on risks identified from integrated risk registers

www.pentana.com/vision Enquiries: info@pentana.com Call: +44 (0)1707 373335

14

Working on London 2012, the busier things get, the more you tend to lose perspective on what it is youre actually involved with, says Mary Hardy, speaking to A&R two weeks before the London 2012 Olympic and Paralympic Games opening ceremony. But then, when I watch the progress of the Olympic torch or, as we occasionally get to do, visit the venues during test events, Im reminded of just how exciting the whole thing is and how incredible it is to be a part of it. Mary Hardy was reconsidering her position at Transport for London (TfL) when she was headhunted for the role of head of risk assurance at the London Organising Committee of the Olympic and Paralympic Games (LOCOG).The position would last the lifetime of the games and upuntil March 2013, owing to the ongoing work involved in the insurance programme and the dissolution of the business. Aside from the fact that it was clearly a once-in-lifetimeopportunity, one of the things that appealed to me about this position was its fixed term, she explains. Ihad been considering moving on fromTfL, having been there for some time, but was reluctant to commit to another four or five years as a head of internal audit. Since joining LOCOG in November 2009, Hardy has worked with a team of two internal auditors and a senior manager at KPMG, to which she co-sources work depending on the volume and specialisations required at the time. Now that her pre-games plan is complete, the internal audit team, together with a financial control department, are set to

Running rings around risk

When you have the riskassurance for one ofthe biggest events inUK sporting history weighing on your shoulders, it doesnt payto dwell on it. Fortunately, LOCOGs MaryHardy has been fartoo busy to give her burden ofresponsibility toomuch thought.
Words: Alice Hoey Photographs: David Short

When I watch the progress of the Olympic torch, Im reminded of just how exciting the whole thingisand how incredible it is to be a part of it

15

Aside from the potential damage to the reputation of LOCOG and the nation, we cant afford to lose money through fraudulent activities

conduct compliance-type audits throughout the games, before tackling the audit work associated with the earlystages of the post-gamesdissolution.

Starting blocks

16

I joined LOCOG when it wasstill a fairly small organisation of about 350 people, Hardy recalls. There hadnt been much internal audit work done because there wasnt much to audit. My first task was to write an audit plan for the lifetime of the games, from 1 April 2010 to the end of 2012. My colleague at KPMG and I tackled this in a fairly traditional way.There was only a skeleton risk management process in place at the time, as it was such a small organisation, so we based our plan on business strategies that were being updated, discussions with senior management and our own expertise. Was it difficult to plan assurance for a temporary event of this scale? Not really, says Hardy. It was clear what the main riskswould be: will we raise enough moneyto pay for the event? How robust willthe transport and security provisions be? And how will LOCOG cope with the enormous explosion and the subsequent disappearance in the number of people working for it? As she explains, LOCOG grew at an incredible rate. By the opening ceremony, the best part of 200,000 people were working for the games a mixture of paid staff, contractors and volunteers from onlyabout 5,000 at the end of March. There are obvious risks concerning howyou bring all these people on board, train them and deal with all the other employment processes, both during the games and afterwards, when there will be amass exodus, Hardy says. Combating fraud is also understandably high on LOCOGs agenda. While counterfeit

You dont become an internal auditor if you want people to loveyou

tickets and fake merchandise are dealt with by a separate brand protection team within the legal function, which works with the Metropolitan Polices Operation Podium, corporate fraud falls within Hardys remit. Aside from the potential damage to the reputation of LOCOG and the nation, we cantafford to lose money through fraudulent activities, she says. Thats why, right from the outset, we put in place ethical compliance policies, speak-up procedures and confidential hotlines. Everyone who works for LOCOG also has to pass an e-module on ethical compliance as part of their induction process and then must refresh that every 12months. LOCOG has run fraud awareness workshops in association with Operation Podium for newrecruits in key departments

such as procurement and HR.The finance team has also attended fraud workshops runby the Bank of England. Weve worked very hard to put anti-fraud measures in place, but no moreorless than I would expect from anylarge organisation with a reputation andbudget toprotect, Hardy says.

Team effort
Looking back at the original audit plan, Hardyis satisfied that her team got the scoperight. While the way that we have deliveredaudits has changed quite a bit sincethe start, the content of that plan hasaltered very little, aside from a few tweaks asLOCOG has evolved. She had also correctly anticipated thatdelivering the plan would become

Everyone who works for LOCOG has to pass an e-module on ethical compliance as part of their induction process

Mary Hardy on women in internal audit

Ive never found it a barrier or a particular challenge being a woman in senior internal audit roles. But early in my career, when male colleagues first met me professionally, they often didnt know how to treat me: like a daughter or a wife? These days its probably more wife or mother. They arent quite sure which box to put you in. That can give you the upper hand, at least for a day or two, while you decide how you want that particular relationship to shape up. On other occasions men will treat you with kid gloves. Iremember one time being given a tour of a factory, during which the male workforce hastily took down their girly posters. And they can show concern that, as a woman, you may not be able to handle the hostility that can come your way when youre an internal auditor. Providing that you can demonstrate that youre confident enough to deal with any such situations, it really shouldnt be a problem. After all, there will always be people who dont like you and wont get on with you, whatever your gender, race or religion. Furthermore, its part of the job you dont become an internal auditor if you want people to love you. If you understand that, youll get on fine in this profession. Women are ideally suited to internal audit in terms of skills. For example, we ask a lot of questions and tend to keep asking why and were often very good at getting people on side. There are certain barriers to womens careers in internal audit, butthey are the same practical issues that exist in most professions. For example, the role of internal audit at a large international company may well involve a lot of travel, which wouldnt suit every womanwith a young family. Its also a difficult role to perform on a part-time basis. This applies to other disciplines, of course. It isnt a question of there being an old-boys network or a negative attitude to women, which exists in other fields.

17

increasingly difficult as the games approached, as people found themselves with less and less time to devote to the auditprocess. There would also be major areas of assurance that were not the direct responsibility of LOCOG and Hardys internalaudit team.Transport, which is beingdelivered primarily byTfL, is the obvious example. If something were to go wrong, it couldrepresent a huge reputational issue forLOCOG, the games and the UK, Hardy says. However, you cant audit reputation risk; you simply have to put adequate processes in place to ensure that matters dont turn intoa reputational problem. Youalso have tounderstand and rely on what others, suchas TfL, are doing to manage riskson your behalf and theirs.

To help the audit committee understand what assurance falls within LOCOGs remit, Hardy designed an assurance map detailing what the risks are, who is managing these and what assurance is being provided.

Start to finish
As final jobs before retirement go, Hardys can certainly be considered a climactic flourish to an impressive career. Having cut her teeth at Ernst &Young, where she stayed for 19 years and became a partner, she joined Guinness in 1996, a year before it merged with Grand Metropolitan to form Diageo. As director of group audit and assurance, my task was to merge together the audit functions of these two companies, which wasa challenge because they were scattered around the world, Hardy says. I also developed and implemented the risk management processes that were necessary to comply with the Turnbull reports requirements, which were new at that time.

Hardy faced a comparable situation when she joined TfL in 2001, only a year after it had been established. In effect, we were starting something from scratch, shesays. Then, when London Underground merged with TfL in 2003, I once again had to merge two audit functions to produce something that worked for TfL, which was quite a different animal from London Underground. Im proud of my achievementsin both of these roles, as I was responsible for overseeing quite radical changes in the internal audit departments to create something new and effective. As this issue of A&R goes to press, the Olympics have finished on a triumphant, euphoric note, and LOCOG andTeam GB canbreath a collective sigh after a job well done. As Lord Coe noted, Britain did it right. ForHardy and her team, the work continues, but the full burden of responsibility has lifted. At this point she can perhaps reflect on the unique and essential role that she played in the London 2012 spectacle.

Internal audit has a strong case to argue for its involvement from the very outset of a merger or acquisition

18

Effective timetabling is an invaluable asset and can be a dealbreaker if management wants tocapitalise on the merger quickly

Your move Internal audit can be an invaluable tool to provide assurance during mergersand acquisitions, but management may notalways be aware of theprofessions skills.
Words: Neil Hodge
help from the start of the process. Theresearch found that internal audits contribution was limited to thedue-diligence phase and the post-acquisition audit. Ten years later, it appears that littlehas changed: internal audit would like to be more involved in the M&A process from start to finish, butrarely is. Why is this the case? Atypical barrier is that internal audit lacks hands-on M&A experienceand so its involved only at certain times and in specific roles. Internal audit has a strong case toargue for its involvement from thevery outset of an M&A, says DavidCoombs, an internal audit andrisk management consultant. But management is unlikely to include internal audit unless it has a proven record of adding value through the audit process or of beingactively engaged in M&A work. In reality, how many organisations are there where internal audit can putits hand up and say it has that kindof reputation?

Prove yourself
Some internal auditors have successfully forged that reputation. Rainer Lenz CMIIA is vice-president ofinternal audit at pharmaceuticals company Actavis an organisation, he says, that has grown by acquisitionsince it was founded. M&Ais a core business process as far as we are concerned, he says. Lenz says that he gets involved inproviding risk assessments whenActavis identifies companies toacquire, adding that he has a strongbackground in M&As because he used to work in finance. He agrees with Coombs that, while internal audit definitely has valuable expertise to contribute to the M&A process, the function will not be asked to participate unless it has a proven record of earlier involvement. Management wants advice from people who have been involved at all stages of the M&A process, Lenz says. More often than not, internal audit does not have that experience, so it lacks credibility.The only way

19

hile the deals market is still far less active than it was before the financial crisis, organisations are always on the lookout for suitable targets to acquire or merge with to increase their market share. But mergers and acquisitions (M&As) have been notoriously difficult to get right once the money has changed hands. Studies and anecdotal evidence suggest that most M&A transactions fail to deliver their stated goals or achieve value. Such deals would therefore seem to be ripe for internal audits input, butan international survey conducted in 2002 for IIA Global found a low level of involvement from internal auditors at the various stages of M&As despite their willingness to

{
that internal auditors canreally convince management that they should be part of the project from an early stage is to show that they understand whats involved andwhat the inherent risks are and that they realise that most mergers fail.

Management wants advice from people who have been involved at all stages of M&As. More often than not, internal audit does not have that experience, so it lacks credibility

Adding value
Other heads of internal audit saythat their teams can take positive steps to increase their involvement in their organisations M&A strategies, while also demonstrating the value they can add throughout the process. David Finch CMIIA, director of group business risk and assurance at building supplies retailer Travis Perkins and a member of the IIAs Heads of Internal Audit Service, explains that internal audit has a valuable role to play at several points along the M&A path. Before any M&A activity starts, internal audit can review the process that an acquisitive company might go through when undertaking a theoretical takeover, he says. This would include a consideration of funding potential for example, does the organisation have themeans to execute a M&A shouldthe opportunity arise? Itsuseless wanting to buy a business but not having the cashdeposit available or the support of shareholders for the issuing of shares before you even start, he says. Finch also thinks that a review of the valuation modelling

20

techniques used by the business toset its acquisition price is another important area for internalaudit involvement. Asset values, earnings multiples, discounted future cash flows and so on will all provide a different answer aboutthe businesss value, he warns. This might affect whether the company decides togo ahead with the acquisition, because it may deem the target organisation too expensive or decide that the business does not hold the commercial value first thought. Finch says internal audit may also have a role in the validation of assets and liabilities. Stock may physically exist, but does it hold a value? For example, surplus promotional stocks relating to a campaign run six months ago,obsolete packaging, time-expired stock and so on all hold a material value, but not quite the degree of value first thought, he says.

Most mergers fail internal audit needs to understand why

Seal the deal

There are also competition issues that internal audit could investigate or highlight to management, Finch says, particularly if a merger of two dominant players in a market could adversely affect consumer choice. Where an organisation is a leading part ofits sector,

theOffice of FairTrading willnodoubt getinvolved. Anappreciation of whether the regulator will refer theacquisition tothe Competition Commission or require a compulsory divestment can influence the M&A strategy.This should be considered by the organisation before making a bid, he says. Neale Andrews, head of the corporate and commercial practice at law firm Mundays, which undertakes M&A work,

also believes that internal audit can add real value by getting involved in the process before the acquisition. For example, internal auditors can help to identify how long the process might last. Effective timetabling is an invaluable asset and can be a deal-breaker if management wants to capitalise on the merger quickly, he says. There are other areas where internal audits skills can be used to great effect. Andrews says that internal audit can identify potential hidden costs, such as legal liabilities, and help to arrange indemnities to ring-

fence the acquirer from having to pay for them or to reduce the purchase price of the target. The profession can also showits value during the implementation. At particular stages in the acquisition, management should be stepping back and taking stock of what it planned to achieve by certain dates and whether those plans have crystallised, Finch says. Days one, 30, 60, 90 180 and 365 are the normal points. As with any project, theres a danger that the benefits will be overstated and the costs understated. So internal audit can work with the

M&A project manager to give some validity to statements that are made. Detailed planning for these milestone dates will give credibility to the M&A, so assessing the extent by which each activity has progressed can add real value, he says. Internal audit is also well placed to assess the M&As success when its completed. Once the dust has settled, internal audit can clearly conduct a post-investment review, Finchsays. This might be in the remit of internal audit, or line management could do it, with internal audit reviewing the

effectiveness of the M&A itself. The purpose should be to see what could be done better in the future, rather than identifying victims of the activity. Yet, despite the skills that internal audit has to offer, some believe the status quo will remain: the catch being that, without experience, internal audit lacks credibility and so cannot gain the experience it needs in order to prove itself. David Coombs believes that whether internal audit actually gets more deeply involved in the M&A process or not depends on managements viewpoint and the structure of the organisation. Management may call on internal audit for assurance and advice on specific aspects when it feels that the function can add value, but not necessarily call on it to have an ongoing role throughout, Coombs says. If you already have skills in-house that can help to ensure success, these should be used, headds. But internal audit is also a function thats accustomed to challenging the thinking behind business strategy and standing up to management andits certainly useful to have an independent voice that can take a more detached view of how the deal is going, the risks involved and the controls needed and of what should happen after implementation. for more information To have your say on this andother issues, go to auditandrisk.org

Top tips for M&A success

Rainer Lenz, vice-president of internal audit at pharmaceuticals company Actavis, offers some advice for internal auditors to bear in mind when their organisations are preparing for M&As: It is always better to contribute to the M&A process before the actual transaction. Internal audit can determine whether management has adequately assessed the business case and whether the information the company is basing its decision on is accurate and comprehensive. For example, is the target businesss valuation correct? Find external help. If internal audit has no direct experience of performing M&A review work, make the case to buy in this expertise. M&As will create governance and control issues. Understand managements viewpoint. If internal audit follows a risk-based approach, it should have a good understanding of how management perceives thebenefits of an M&A strategy and its associated risks. Question the business case. Most mergers fail internal audit needs to understand why M&A projects dont succeed and to ask whether managers have properly addressed key areas for concern. For example, are the goals achievable? Internal audit has a key role inpost-merger integration. Check that there are proper synergies to link the businesses together and assess how long integrating them is likely to take it may take years to combine teams, IT systems and so on.

21

While the government and the Serious Fraud Office have stressed that they will make no exemptions, theyve recognised that facilitation payments will take time to eradicate

The bribery act 2010 one year on

22

The introduction of the Bribery Act 2010 last summer toughened the UKs stance against corruption by individuals and organisations both here and abroad. While some welcomed it as a necessarily strong measure, others feared that it could, by criminalising normal business practices, put British companies at a competitive disadvantage. Has its impact been as great as expected? We seek five expert views on the acts effectiveness or otherwise so far.

1
More thought could have been given to explaining what is expected of companies

Geoff Nicholas, CMIIA, head of global investigations group, Freshfields Bruckhaus Deringer, and a member of the IIA Heads of Internal Audit Service.
act. While the government and the Serious Fraud Office have stressed that they will make no exemptions, theyve recognised that such payments will take time to eradicate. They have offered some comfort by stressing that, providing that firms make reasonable efforts to eradicate such payments from within their own businesses, it wont be a focus of attention. Butthis itself is confusing: what, for example, are reasonable efforts? More thought could have been given to explaining what is expected of companies and more information on what support might be available to those operating in high-risk countries. There has been a significant increase in awareness of, and activity against, bribery, but not solely because of the act. Recent high-profile prosecutions and costly resolutions in the US, as well as new legislation in countries such as China and Russia, have all shown that it is being seen as a significant area of risk. The necessary modifications wont be made over night, especially where there needs to be cultural change and when it involves firms operating in global markets. Its not only about senior managements understanding of how the act affects the business and the changes that must be made. Its also about instilling this understanding across the organisation and in the business partners it works with in different markets. When certain practices are ingrained in your day-to-day operations, it can be difficult to turn them off.

International law firm Freshfields has helped clients worldwide to understand the implications of the law and the steps they can take to protect themselves from liability. Nicholas has led his firms response to the act. The main concern for businesses and the media before the act came into force was its implications for corporate entertainment and hospitality. People have since understood that, providing that adequate approvals processes are in place, it neednt be a constraint. But it has led many to review how they deal with hospitality, with companies changing their processes as a result. The biggest impact on our clients has concerned their dealings with third parties, intermediaries and agents, especially in new markets where theyre trying to expand. The incidence of bribery in many key emerging markets is relatively high. Whether businesses are making an acquisition, entering a joint venture or engaging a third party, weve seen them really ramp up their anti-bribery and corruption due diligence. Most have reviewed their compliance procedures and some have established new ones. Many have also significantly strengthened their internal compliance functions, sometimes creating dedicated compliance teams. Another big issue and one on which there could have been more clarity is facilitation payments. These relatively small sums, sought by some nations government officials as a matter of routine, constitute bribery under the

23

The bribery act 2010

one year on
Greg Coleman, director of
Coleman, who joined the company in January, is responsible for internal audit, risk management processes and the coordination of assurance work performed across the group. As expected, the act has placed the bribery topic firmly on our boards agenda and it has been given a high degree of focus. In common with other organisations, we have done a lot of work in re-emphasising, formalising and embedding the companys adequate procedures, including a code of conduct, a whistle-blowing process and a gift and entertainment register. We have also spent time rolling out training to make sure that the message is well understood. To some degree, this is just a question of good corporate governance, but it has taken a lot of time and effort. Organisationally, however, not much has changed. We looked at our contracts with suppliers and distributors and amended these, where necessary, to ensure that the obligations placed on us by the act are properly passed on to them. We have also built specific anti-bribery tests into our standard audit scopes and will be conducting reviews of the implementation of adequate procedures on future audits. As well as these enhanced processes, the increase in training and a strengthened audit approach, we are using PwCs BRisk tool to ensure that we focus our efforts on the areas of greatest risk. Looking back, Id say that official guidance on the act has been lacking. To some degree, we have been forced to rely on comments made by various officials regarding how best to take a pragmatic approach to the legislation.

Anne Hayes,

head of development for governance and risk, British Standards Institution.

corporate assurance, Imperial Tobacco, and a member of the IIA Heads of Internal Audit Service.

To some degree, this is just a question of goood corporate governance

In November 2011 the BSI launched BS10500, astandard aimed at helping organisations to show that they have robust anti-bribery systems in place. While many organisations havethe know-how and desire to address the risks, few have a formal framework to work to. Having such a tool is useful, as it requires you to document all your anti-bribery activities; to train people addressing the issues in the organisation; and to educate everyone throughout the business about their responsibilities and the procedures in place. To do that effectively, you must also have support from the top of the organisation. Since the launch of BS10500 weve seen interest from companies of all sizes, but particularly large supply-chain organisations that are active subcontractors. These businesses are under considerable pressure from UK and international regulatory bodies, as well as from internal and external stakeholders, to demonstrate that they have in place appropriate measures to prevent bribery. As such, and especially since the release of the Bribery Act 2010, its an issue that has risen up the corporate agenda. The BSI recently held an event where firms discussed the value of implementing BS10500 asthey consolidate their anti-bribery measures. The overriding message was that implementing such a standard was a great chance to ensure that they had robust formal processes, systems and practices in place against bribery. The act of implementing it enabled them to identify any areas of risk in their client systems and then take appropriate action.

Looking for more? GO online

The institute provides detailed guidance on how to ensure that your organisation complies with the legislation. Visit bit.ly/jc9Q3W and bit.ly/O9pzJ8 for further information. An IIA Heads of Internal Audit Service forum entitled Corruption is it on the internal audit radar? will be held in Dublin in October. Email jasmine.mcclymont@iia.org.uk for details.

John Burbidge-King, founder and CEO, Interchange Solutions.

Burbidge-King is a member of the UK Fraud Advisory Panel and the UK Defence Business Ethics Forum. He submitted evidence to Parliaments joint committee on the draft bribery bill. Given that the act has been in place for a year, I would have expected some kind of announcement about the number of prosecutions to date, but there has been none. Bribery cases will take time to come to court, as the act was not retrospective and such cases are complex, particularly if they involve foreign entities. But I think that this vacuum has given companies a false sense of optimism that investigating bribery is now less important. Efforts have increased across the Pond. Yet firms that may be subject to the Foreign Corrupt Practices Act 1977 by virtue of trading in dollars or having a presence in the US have been lulled by UK inaction into a false and dangerous sense of security. Overall, though, weve seen that some firms have kept up the pressure while others, especially when seeking out new markets, are less cautious than they were a year ago. We have clients that havesought integrity undertakings and references on all associated persons, including professional advisers such as lawyers and accountants. It will be difficult for organisations to gauge thesuccess of any anti-bribery measures they haveimplemented until theyre tested, either by therebuttal of an allegation or an acquittal in court. Thereal test for a company that has not implemented anti-bribery measures before is whether doing so has positively contributed to how it does business, particularly in higher-risk markets. Has the process of examining what has to be done and incorporating that into business strategy and process facilitated a more risk-aware approach? It will be interesting to note the impact of assurance systems such as BS10500. Its implementation will lead not only to better risk management but also to more transparency and a clearer process for internal audit. This should prove to be a positive differentiator in the supply chain and, once the standard takes off, when tendering for public contracts. It will, to some extent, increase confidence in contractors and buyers and it has the reach to be international.

25

David Johnson CMIIA, acting head of internal audit, Department for International
Development (DFID), and a member of the IIA Heads of Internal Audit Service.
benchmarking our processes against the Ministry of Justices adequate procedure principles. The act has helped us to increase awareness within the DFID, deliver onour mandate to drive out corruption inour programmes and spread the anti-bribery culture. For example, we have introduced initiatives to help us gain assurance on the people we work with and ensure they are aware of their responsibilities under the act. This includes installing new due diligence procedures, providing an e-learning course and piloting stronger methods for identifying risks in partner bodies that use our funds. These initiatives help to safeguard DFID money and reduce the risk of reputational harm. Promoting sustainable development and eliminating world poverty are key aims of the DFID. As a strong promoter of good governance and opposer of corruption, the DFID welcomed the act and the increased scrutiny, support and guidance we anticipated it would bring. We needed to make sure we were ready for its impacts on the delivery of ourwork in insecure environments and on the safety of our staff there. To prepare, weconsidered our risk exposure and adopted preventive controls by consulting our country offices and Management is primarily accountable for the risk, but my team has a clear mandate to support the business by aiding the identification and assessment of bribery risk; providing assurance on the adequacy of policies and procedures; and championing good practice. So we conducted a review and recommended improvements, which have since been implemented. We have strengthened our audit assignments via a range of initiatives, including the facilitation of fraud risk workshops, which include material on the act; sharing best practice through a departmental newsletter; and providing guidance and links to the Ministry of Justices Quick start guide (www. justice.gov.uk/legislation/bribery).

Socially acceptable risks

Fifteen years ago it was email and the web; today itis a new generation ofworkplace technology trends thats creating opportunities and risks for organisations. How they manage their employees use of social media and personal communication devices is a key concern forinternal auditors.
The role of social media in the Arab spring is well documented, as is its part in organising the London riots of 2011

26

Words: Wilma Tulloch Photograph: Richard Gleed

What can predict an epidemic and get a president elected? Theanswer or so it is claimed is social media.The US Centers for Disease Control (CDC), for example, have cottoned on to the fact that, when people are sick, the first thing they do is look up their symptoms using a web search and tell their online friends that theyre feeling ill.The CDC found that, by monitoring the incidence of the word flu on social networks, they could see aninfluenza epidemic coming two weeks before the data from GPs clinics and hospitals confirmed it. In 2008 a cash-strapped nominee for the US presidency used social media to communicate with the people of America, mainly because he couldnt afford conventional advertising. By creating Twitter and Facebook accounts, Barack Obama was able to interact with voters on a daily basis. Although the charisma of the candidate probably had something to do with it, his use of social media helped to mobilise young supporters in particular. Hence the 2008 election had the highest youth participation in history and saw the biggest turnout in a presidential poll since 1908.

People trust peer-to-peer recommendations more thanads. Something that theyve read on a friends Facebook page has a greater impact and the corporate world is taking this on board

IBMs advice on embracing social media

US computing giant IBM has been encouraging its employees to use social media since 2005, when it published its first social computing guidelines. Its clear that social computing can be a great way for employees to build powerful networks and to showcase all that we have to offer, says Adam Christensen, the companys social media communications manager. Surveys told us that personal experience with IBM employees has the greatest impact on executive opinions about our company, IBMs advice is that social media may change how we say things, but it shouldnt change what we say. Its tips for users are: respect the privacy of others (89 per cent of web users give out personal data online, including details about their nearest and dearest) and do not disclose sensitive or confidential information. Lastly, make it clear online who you are and when youre expressing your own opinions and when youre speaking for your organisation. The full IBM guidelines can be found at http:// ibm.co/3yKymv

27

About 60 percent of information workers use their own devices forboth work and personal purposes Nearly threequarters of these believe that it increases their productivity

{
Exposure good and bad

Virgin Atlantic dismissed 13 flight attendants for criticising the airlines safety standards and describing its passengers on Facebook as chavs

The role of social media in the Arab springis well documented, as is its part in organising the London riots of 2011. Its clearly powerful stuff. But what can it do for organisations and is it safe to get involved?

Social media: what is the government doing?

28

Social media gives businesses the chance totalk to their customers and find out what they might be saying about their brands, according to Stephen Hill, managing directorand data security specialist at Snowdrop Consulting. It also gives them a whole new way to harvest information aboutconsumers. But the main thing is thatit exposes organisations to a much greater audience, he says. Indeed, as of May 2012 Facebook claimedto have 900 million active users more thanthe total population of the Americas (about 859 million) plus that of Australasia (39 million).Twitter reckons to have about 500 million active users. Social media is also more powerful than advertising. As Hill points out: People trust peer-to-peer recommendations more than ads. Something theyve read on [holiday review site]TripAdvisor or on a friends Facebook page has a greater impact and the corporate world is taking this on board. Ryan Rubin, UK director of security and privacy at global consultancy Protiviti, agrees about the value of social media, but points out a number of pitfalls for internal auditors to bear in mind. Social media is vulnerable to the same types of fraud as those affecting other information technologies. A typical scam is to compromise someonesTwitter account then post a link from there that takes an unsuspecting user to a corrupt site. A hacker on the outside can then come into your computer and bounce from there inside your corporate network, Rubin warns. These things are happening all the time. Criminals never stop trying to break through security systems, so users need to be warned about their tactics, while firewalls and anti-virus programs need to be updated continually. Social media sites also lay

organisations open to security risks of another kind.Think of the MI6 chief, Sir John Sawers, whose wife posted personal details on Facebook, or of a chief executive who might casually tweet his location and inadvertently alert competitors to an impending merger or acquisition. Rubin also alludes to the lonely hearts scam, in which a new Facebook contact befriends a senior executives personal assistant to gain intelligence about their bosss activities.

Word of mouth
David Willetts, minister of state for universities and science, explains how the Department for Business, Innovation and Skills (Bis) is managing the risks. The cyber-risks threatening the competitiveness of this country require co-operation and action from both the private sector and the government. Thegovernments 650m cyber-security strategy, published in 2011, sets out howthe UK will support economic prosperity, protect national interests and safeguard the public by building a more resilient digital environment (www.cabinetoffice.gov.uk/ resource-library/cyber-securitystrategy). We will shortly be reporting on progress against our targets one year on. Bis, GCHQ and the Centre for the Protection of National Infrastructure (CPNI) have also published a cyber-security guidance booklet. This provides risk guidance for boards, outlines key challenges and risks, and provides practical measures to mitigate those risks (copies can be found at bit.ly/BisCyberSecurity). More broadly, there is activity under way across the government to raise awareness ofthe threats and provide advice. Guidance for large companies is available on the CPNI website (www.cpni.gov.uk/advice/cyber), which lists 20 critical means of effective defence, along with a comprehensive range of protective measures. Tailored advice for smaller businesses and individuals can also be found at www.businesslink.gov.uk and www.getsafeonline.org. Visit www.auditandrisk.org.uk to read a longer article by Willetts on the cybersecurity challenges facing UK businesses.

You often hear that phrase what goes online stays online and its very true

The use of social media also poses a serious reputational risk. Customers, for example, can be brutally honest about a product or service, doing a lot of harm in the process. Even more damaging, perhaps, is when employees share their negative comments about an organisation.The number of cases is growing. Virgin Atlantic dismissed 13 flightattendants for criticising the airlines safety standards and describing its passengers on Facebook as chavs . A worker was sacked by Waitrose for making obscene remarks online about the John Lewis Partnership. And an employee who posted I work at Argos and cant wait to leave because its shit had his wish granted sooner than hed expected. Meanwhile, 15per cent of workers in the US told Deloittes 2009 ethics and workplace survey that, if their employer did something that they didnt agree with, they would comment about it online. Of course, there have always been unhappy customers and jaded employees. The difference now is that the complaint can potentially be seen by millions of people and wont ever be entirely removed. You often hear that phrase what goes online stays online and its very true, Hillsays. What people dont realise is that what youpost to Facebook belongs to Facebook. Its very difficult to have them remove material unless, for instance,

Criminals never stop trying tobreak through security systems, so users need to be warned about their tactics, while firewalls and anti-virus programs need to be updated continually

21

thepolice havehad to get involved because criminal activities have occurred.

Left to their own devices

An extra layer of risk is introduced when people use their own mobile communications tools for work purposes. The bring-your-own-device (BYOD) trend is strengthening because many IT manufacturers are focused on putting their best innovations into consumer products. Consequently, employees are acquiring more powerful devices than their employer can provide and they want to use these at work. According to e-learning specialist intuition.com, about 60 per cent of information workers already use their own devices for both work and personal purposes. Nearly three-quarters of these believe that BYOD increases their productivity, while four out of five use their devices to access their office network without their employers knowledge or permission. By their very nature these portable devices are highly vulnerable. About

70million smart phones are lost every year and nearly one-third of their owners lose allthe data held on them, because they havent stored it anywhere else.The security implications are clear. Internal auditors need to stay aware of all the changes and provide assurance to management that the right safeguards are in place.These will include technical solutions that retain data in the network and prevent itfrom disappearing in mobile devices. Procedural measures are required, such as restricting access to customer data only to staff members who need it. Organisations need to have policies and procedures in place for their own protection, Hill says. They should already have an internet and email policy, so social media is an add-on, addressing the things that employees should and shouldnt do. Not that all the issues will be clear cut. Think of instances where an employees friend posts an injudicious picture of them online. How can they still be held liable? And when does conduct in an employees own

time reflect on their employer? People have the right to a private life under the Human Rights Act 1998, while the Regulation of Investigatory Powers Act 2000 stipulates what can be recorded in terms of monitoring peoples activities. Organisations must tread carefully to protect themselves and explain clearly what they expect from their staff. But remember that, as well as the threats, there are opportunities. A generation has grown up with the internet and finds social media a natural and productive way to communicate. Organisations need to embrace all the advantages, Rubin says. One of the biggest risks is to do nothing and then get left behind.

For further information

To have your say on this and other issues, go to www.auditandrisk.org.uk An IIA Heads of Internal Audit Service forum on social media risk and the impacton organisations will take place on 17 October in London. For more details emailjasmine.mcclymont@iia.org.uk

Tools for the job

Scoping it out
The scope of your work as an internal auditor depends mainly on the risks that your organisation faces. But how those risks are identified and prioritised will vary from process to process, aswill the level of flexibility built into your audit plan. At the Met Office one of the organisations featured in a set of case studies published recently by the IIA and the National Audit Office the functions scope is defined by the risks prioritised by its senior management and audit committee.The risk management team deals with those risks, while internal audit liaises with it to suggest controls and review progress. The internal audit team takes an overall view of the risk and assurance landscape, says Jonathan Kidd, HIA at the Met Office. We look at the risks in key areas against corporate objectives and the risk appetite of management. Internal audit works with management to rank proposed audits on an ABC model from high to low risk. It also uses assurance mapping to identify any gaps and determine which assurance provider should review the management of that risk.This rolling plan sits in the background throughout the year, but new risk areas or requests for reviews are added as they arise. Its not just an annual process, Kidd says. We have a watching brief to see if there are any emerging risks that we need to be aware of and to budget for

How should internal audit ensure adequate coverage of risk and internal control within the business? Three HIAs explain what works in their organisations.
in any future audit plan. Internal audit then categorises these audits for possible review, depending on how highly management prioritises the risks related to them. We also speak to people across the business individually to validate whether risk registers are accurate and reflect the key risks their business areas face. At Travis Perkins, a company supplying the UK building and construction industry, the scope of internal audits work is set out in its audit charter.This defines what the function can and cannot do. It is ratified annually by the audit committee. According to David Finch, director of group business risk and assurance, this provides a go anywhere, look at anything remit. If internal audit is going to sit independently, it is best to set the charter and terms of reference aswide as possible, he says. Itallows us the freedom to do what we think is right for the role of internal audit. There are about 200 business risks on the companys risk register, ranging from general to specialist to unpredictable black swan risks.These are prioritised using a matrix, but Finch deliberately does not account for all of internal audits work in the audit plan. Instead, he leaves a contingency so that the appropriate extra resources can be made available if needed. At global hotel chain InterContinental Hotels Group (IHG), an integrated assurance model and risk-based internal audit approach helps the function to define its coverage. This integrated approach gives us a better idea of how other assurance providers understand risk, control it and deliver assurance, so we dont duplicate work, says Bruce Vincent, IHGs global head of internal audit. By understanding and assessing the effectiveness of the activities of other assurance providers, such as IT, legal and risk management, we can work out if we need to review some of these areas more deeply or if we can prioritise resources for reviews elsewhere. While the annual audit plan is prepared and approved by IHGs audit committee between August and December, the internal audit team makes continuous reassessments using a dynamic risk assessment model. Vincent says: This allows us to adjust the annual audit plan to take account of emerging risks and to reassess and reprioritise activities as and when required. Visit www.iia.org.uk/ casestudies to download the series of case studies that the IIA and the National Audit Office have published on internal audit practices. Useful guidance can also be found in the International Standards. Practice Advisory 2050-2 focuses on assurance mapping, while Standard 1000 and Practice Advisory 1000-1 cover purpose, authority and responsibility (bit.ly/ JNjK4R).

30

Three tips on effective scoping

Agree the scope of your function with the audit committee and have it built into the audit charter. But try to leave some flexibility to enable your team to react to emerging risks. To minimise duplication and free resources for other areas, look at the range and depth of assurance given to management by your organisations other assurance providers. Understand managements risk priorities and ensure that work is aligned with these.

Achieve a full professional IIA qualification through a postgraduate study programme with the Centre for Internal Audit, Governance and Risk Management at Birmingham City Business School
Students attend our DUAL AWARD programme which offers exceptional value for money, through the provision of focused training which yields proven success and delivers a practical and career enhancing experience. We offer a unique programme of training which delivers membership of the Chartered Institute of Internal Auditors, subject to completion of the appropriate experience journal, in one of three modes, full time, block release or flexible learning*. The programme of study provides: - Single assessment for each module using both assignment and examination methods. - Teaching that reflects the IIA syllabus at Diploma and Advanced Diploma levels as well as adding value through real world industry and professional experience. - Significant visiting practitioner involvement in the delivery of each module. - A cost effective pathway to internal audit career development. Annual course fees for 2012/13 registrations are 7500 (full time) or 4500 (part time) and include all learning materials and subscription/examination fees payable to the IIA.

For further information, please visit our website: www.bcu.ac.uk/audit or contact us directly E: mscaudit@bcu.ac.uk T: 0121 331 6595 / 5623.
* Students may opt for a staged entry to study that recognises existing achievements and provides exemptions for relevant professional qualifications and will allow full qualification of CMIIA, subject to completion of the appropriate experience journal.

IIA Scotland Conference 2012

Internal Audit - A Critical Friendship
The 2012 conference will explore the concept of Internal Audit as a Critical Friend to organisations. Presentations will consider how we, as Internal Auditors, work in the current business environment to build key relationships, provide assurance and/or deliver bad news. Our keynote speaker is Sir Edmund Burton, Chairman of the Information Assurance Advisory Council. Other speakers include:
s s s s s

Dates/locations 1-2 November 2012 Doubletree by Hilton, Dunblane Hydro

Nicola Rimmer Institute President elect Dr Ian Peters Institute Chief Executive Karl Snowden Chief Executive, Westminster Forum Rory Alsop President ISACA Scotland James Paterson Risk and Assurance Insights

Contact: Kati Fiebig Tel: +44 (0) 20 7819 1921 Email: kati.fiebig@iia.org.uk

Career development

Show and tell

Scour the internet and its easy to get rattledby statistics about job interviews. Interviewers, apparently, make their minds up about you as quickly as 30 seconds in precious little time to demonstrate your enthusiasm and suitability for the job. Yet,foran internal auditor, building a rapport quickly and making a good first impression should be second nature, according to PaulGoodman, founder and director of recruitment specialist Goodman Masson. Internal auditors are often faced with situations where they meet new heads of businesses or functions, he says. But great internal auditors are adept at building a rapport, which is also a key ingredient in anygood interview. Internal audit teams have to spend a long time in each others company and form strong relationships quickly in a variety of different commercial and cultural settings.Theres a level of judgment and intuitive skill required to judge how to interact when walking into a new audit environment, which applies equally in an interview situation. Good listening skills, crisp answers and likeability which normally come from beingyourself are all basic, yet important characteristics that should shine through during those opening minutes.

A job interview is a great chance for an internal auditor to demonstrate some of their most valuable skills. Paul Goodman explains how.
appropriate weight of delivery is a key abilityfor an internal auditor and can be an important factor in their long-term career progression, Goodman says. The level of detail and relevance of content that the interviewee provides to questions will, therefore, give the interviewer a valuable insight into their skills in this area. Preparation here is key, then, although this should not be confused with rehearsingascript. If you over-prepare, yourisk sacrificing that valuable rapport, and explaining past career moves.Yet you must also be mindful of details that are specific to internal audit. Goodman explains: Internal auditors need to think carefully before the interview about the risks that their organisation faces and those of the recruiting company. Be prepared to explore your thoughts about possible audit approaches and what relevant experience you have. Such discussions offer internal auditors areal opportunity to sell themselves something that Goodman believes can be a weak point. Internal auditors often make toolittle of the fact that they must understandbusiness and operational strategy in order to deliver results, he says. If you emphasise this, it will enable you to be more expansive in your answers.You can demonstrate that you have a broad commercial grasp, rather than purely a knowledge of risk and audit technique. Most important of all in an interview is to think carefully about what the interviewer is looking for and shape your answers and approach accordingly. Ultimately, interviewers are trying to find out if you can do the job, if you want to do it and if you can fit in, Goodman says. Put yourself in their shoes and think how you can convince them that you can, you do and you will.Then you will have the edge over the competition. Paul Goodman is the founder of Goodman Masson, the largest independent financial recruiter in the UK. The company covers, among other areas, accounting, tax, audit, risk and management consultancy. He can be contacted at paul.goodman@goodmanmasson.com

32

Job candidates tend to spend a disproportionate amount of time researching companies rather than thinking about themselves
Goodmanwarns. And, while preparation should be comprehensive, its important toplace the focus on yourself your experience, abilities and ambitions. Job candidates tend to spend a disproportionate amount of time researching companies rather than thinking about themselves, he says. Its often why they ramble when asked simple, predictable questions but give brilliantly thought-out answers about the latest set of results. Internal auditors shouldnt underestimate the importance of dealing effectively with the kind of stock interview questions they expect: talking the interviewer through their CV, describing their strengths and weaknesses,

Question time
An interviewer can also spot a talented internal auditor by the manner in which they answer his or her questions. Most candidates will have the knowledge and experience to respond with the correct information, but delivering the right level of detail, without over-simplification or digression, is harder. The ability to summarise key audit points and recommendations with the

You asked us

Q&A

Our technical helpline provides valuable advice to members on ahost of professional issues. Hereare some of the questions youve submitted recently.
Q. We are creating a new audit committee and I would appreciate some pointers on the ideal combination of skills. A. In its 2010 guidance on audit committees, the Financial Reporting Council suggests that the audit committee should have at least one member with a professional accountancy qualification.This makes sense, given that theres a good deal of financial content to the work of an audit committee. Other than that, there is no standard or ideal mix of skills and, in practice, you can work out the range of the skills that best suits your organisation.You might, for example, include skills relating to governance, risk management, internal control, IT or regulatory compliance.There are many options and no limit to this. For example, some housing associations appoint a tenant representative to their audit committees. Lastly, its important to consider attributes as well as skills. Audit committee members should have true independence and the ability to challenge management.They must also be free from any conflict of interest. Q. I am about to begin a review of information governance. Do you have any resources that might help me? A. Id recommend the global technology auditguides (the GTAG series of practice guides). In particular, GTAG15 (issued in June 2010) covers information security governance and the role of internal audit. It includes advice on how to plan audit reviews and the test that you can perform. But there

are others in the series that may also help you. Visit bit.ly/GTAGs for details. Q. I need some technical advice about audit needs assessments. Are any relevant publications available to members in the IIA resource library? A.There are two sources of information that may help you.The first is a series of case studies that the IIA has prepared on behalf of the National Audit Office, which look at how internal audit is planned and delivered (www.iia.org.uk/casestudies).These tell us that internal audit activities assess audit needs by talking to their stakeholders and providing assurance on high-priority risks. Resources are set according to how far the audit committee wants internal audit to go down the list of risk priorities. The second source of information is a set of six research reports issued by IIA Global in 2011, based on a survey of nearly 14,000 members worldwide.The fourth of these, Whats next for internal auditing , highlights where internal audit activities focus their time and the engagements internal auditors expect to be performing in the near future. You can find all the reports on the IIAs benchmarking page (bit.ly/IIAbenchmarking). Q. According to Practice Advisory 2010-2, Using the risk management process in internal audit planning, internal

auditors audit key controls and provide assurance on the management of significant risks. But the global position paper entitled The role of internal auditing in enterprise-wide risk management says that internal audit should not provide management assurance on risks. Can you explain the apparent conflict between the two positions? A. I can see how this might cause confusion, so Ill try to give a short and simple explanation. Management is responsible for identifying, assessing and responding to risk. In the process, some managers will provide assurance that these responses are working effectively. Theymight include line managers (we call this the first line of defence) or staff in a risk or compliance team (the second line). Both the first and the second lines of defence are, therefore, part of the organisations management structure. Thestatement you cite from the position paper means that internal audit should not adopt a management role. In other words, itshouldnt hold management responsibility for risk, including management assurance the second line of defence. The value that internal audit brings to an organisation is independent and objective assurance (the third line of defence), giving the audit committee an unbiased opinion on the effectiveness of risk responses.This assurance covers how effectively the organisation assesses and manages its risks and includes assurance on the ways in which the first and second lines of defence operate. This assurance encompasses all elements of an organisations risk management framework, from risk identification and assessment processes to the internal control system as a response to mitigating risks.  ot a question? G Contact Chris Baker on the IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

33

Looking for more? GO online

Visit www.auditandrisk.org.uk for more internal audit news and a range of resources to help you do your job.

IIA UPDATE
CPD accreditation scheme to benefit members and theiremployers
Under a scheme launched in September, organisations that employ IIA members and support their professional development can be accredited as such, formally recognising their commitment to CPD. Members working for an accredited employer are exempt from the annual monitoring process. Accredited employers demonstrate that their staff have appropriate opportunities to address their development needs; are supported and encouraged to undertake relevant activity; and are required to reflect upon the outcomes, benefits and further development opportunities, said Steve Rainbird, qualifications and professional development manager with the institute. The process involves an independent review of the organisations structure, as well as the internal audit teams roles. BT Group was one the first employers to sign up. Grant Harrison, head of internal audit operations in its internal audit division, said: By subscribing, we are demonstrating not only to the existing members of our team, but also to potential recruits our commitment to supporting the achievement of professional excellence. To find out more about the scheme, visit bit.ly/IIA_CPD

Annual dinner hails IIAs awardwinning performers

Once again, the institutes annual dinner (19 July) brought together internal auditors, regulators and assurance providers from across the UK to celebrate the profession in high style. Amyas Morse, comptroller and auditor-general at the National Audit Office, highlighted the value of internal audit in his keynote speech. He argued that the function should have a seat at the top table ofmanagement inorganisations. Morse also emphasised his view that internal auditors needed to have greater ambition. They should not be afraid to ask for more resources and, if their requests are refused, to keep asking and not take no for an answer, he said. Dave Reynolds FIIA, president of the institute (pictured, above left, with J J Morris award winnerDr Sarah Blackburn and IIA Globals new chairman, PhilTarling CFIIA) echoed Morses remarks, pointing out that internal audit is increasingly becoming part of the conversation about better corporate governance, particularly in the public sector and the financial services sector. Of course, no awards dinner would be completewithout the awards themselves. This years student award winners included:

Amyas Morse, comptroller and auditor-general at the National Audit Office, delivered the keynote address.

Lorraine Matkin PIIA of the Food Standards

34

Agency, who won the Charles Duly prize for the best overall mark in the Diploma exams. She said: I am proud to receive an award, but credit the excellent tutors who inspired and helped me during my studies. Alastair Foster CMIIA of RSM Tenon, who won the Peter Hook prize for the best overall mark in the Advanced Diploma exams. He said: Its great to be recognised for the effort you put into the exams. The qualification is rewarding enough, knowing how respected it is, so the prize is the icing on the cake. In addition, this years J J Morris award for distinguished service was given to past president DrSarah Blackburn CFIIA, managing director of the Wayside Network. She said: Iamdeeply honoured to receive the award and I thank the president and council for nominating me. But of course hundreds of people were involved in getting the institute to chartered status, both staff and volunteers, plus well-wishers from many other institutes and organisations who supported us. Iaccept this award on behalf of everyone who helped us to move Forward chartered. Lastly, the IIAs annual special award went to Jim Thomson CMIIA, who has been active in the Scottish Region for over 37 years.

Education committee seeks new members

The professional development committee (PDC), a standing committee of the IIAs governing Council, is looking for volunteers to help set the direction for the development of, and support for, the profession. As discussions with IIA Global continue about the possibility of an international advanced qualification, together with a full review of our education strategy, these are interesting times to be involved. The PDC is responsible for overseeing strategy relating to education principally qualifications, CPD and technical guidance. It meets three times a year and members usually serve three years (up to a maximum of six). Applications from any member will be considered, but the PDC particularly welcomes them from recently qualified members, those from the Irish Region and those with a background in the public sector. If youre interested, please email education director Francis Nicholson at francis. nicholson@iia.org.uk. You will be asked to send a CV showing relevant experience and/or qualifications.

Four Directors join IIA Council

The PDC is responsible for overseeing strategy relating to education principally qualifications, CPD and technical guidance

IIA Global has appointed Phil Tarling CFIIA as its new chairman. Tarling (pictured) is a long-standing member and a past president of the IIA in the UK and Ireland. He has more than 25 years of experience in internal audit, finance and budgetary roles, including two decades as a head of internal audit. As chairman for 2012-13, Tarling will act as IIA Globals chief spokesman. He will lead its strategic initiatives and advocate the advancement of the institute and the internal audit profession worldwide. Visit visit bit.ly/IIA_Chairman to hear more from him about the role of the internal auditor and to find out more about his chosen theme for his chairmanship: Say it right.

Tarling becomes chairman

After an election for members of the IIA Council, four directors will join at the AGM in October. Phil Byrne, Grant Morrison and Neil Hart will take office for terms of up to three years and Pamela McDonald has been elected for an extra three-year term. Neil Hart CFIIA is recently retired, having spent most of his career in central government audit, including being HIA for the Forensic Science Service and the Immigration Services Commissioner. Grant Morrison CMIIA is HIA at Alliance Trust, the largest generalist UKinvestment trust bymarket value listedon the London Stock Exchange. Phil Byrne CMIIA is internal audit manager at HMRC and has been on the IIA North East committee for the past two years. Pamela McDonald PIIA was originally elected to the Council in 2008 and is also a member of the IIA Ireland committee. Sheis currently the internal auditor in OurLadys Childrens Hospital, Crumlin, and has over 20 years of experience working in internal audit. The next round of nominations will be held in spring 2013.

35

Congratulations to the following students, whohave been awarded IIA qualifications.

These individuals have successfully completed all requirements and are eligible to use the designations CMIIA, PIIA, or IACert as appropriate.

Clark, Peter RBS Group Clarke, Stephen Ashby, Claire Bath and North East Southbank Centre Somerset Council Ashford, Natasha Clifford, Barry Fife Regional Council SSE Renewables Atkinson, Neil Coughlan, Alexandra Department for Work Veritau andPensions Craddock, Victoria Benmaamar, Sobh St Jamess Place Subsea 7 WealthManagement Bowe, Jeffrey Crook, Emma Department for Work RSM Tenon andPensions Cunning, Joan Brown, Stewart Department of Finance Scott Moncrieff andPersonnel (NI) Coogan, Stuart Davidson-Dell, Simon Deloitte & Touche Centrica Energy Upstream Cook, Gillian Dean, Anthony Department for Work London Borough andPensions ofHillingdon Cooper, Darren Del Greco, Gabriella Department for Work Deloitte & Touche andPensions Dennis, Hannah Davies, Victoria RSM Tenon TIAA Dolan, Paul Denny, Gemma RSA Insurance Ireland Grant Thornton Downer, Stephen Ellis, Matthew DSSO RSM Tenon Fahy, Paul France, Wesley Liberty Insurance Telford & Wrekin Council Fiddes, Carolyn Furness, Jon Friends Life Department for Work Flack, Alistair andPensions Aviva Goodman, Melanie Fleming, Ian Bridgend County Department of Agriculture Borough Council and Rural Development Gould, Sara Forster, Erin States of Guernsey RBS Group Grace, John Peter Fraser, Heather Birmingham City Council Northamptonshire Greenbeck, Fiona County Council Grant Thornton Hadfield, Barry Hamel, Brian Friends Life PricewaterhouseCoopers Harper, Jennifer Ceska republika Department of Agriculture Hastie, Hazel and Rural Development Fife Council Heasley, Roger Hellary, Daniel Department of Agriculture Britvic and Rural Development Hewitt, Paul Jackson, Peter JD Wetherspoons BGL Group Hodson, Lisa Jolliffe, Hayley Denbighshire Government CountyCouncil Procurement Service Hunter, Michael Julyan, Barry Diploma (PIIA) Department for Liverpool Victoria Adeoye, Andrew Education Friendly Society Ernst & Young Ilczuk, Ania Kelly, Elizabeth Ali, Mushtaq Prudential Department for SRS17337-BarSim-BannerStrip-May12:SRS17330-BarSim-DPS-Mar11 Transport for London Jimenez, Lucia RegionalDevelopment Atkinson, Andrea Bupa Kendall, George Ministry of Defence Johnson, David NFU Mutual Bramley, Sharon Khan, Shammi Department for Hartlepool Trafford Metropolitan International BoroughCouncil Borough Council Development Bromage, Andrew Killen, Melanie Jones, Philip Derry Central Library Worcester City Council Ministry of Defence

Chartered Internal Auditor (CMIIA)

36

Jugessur, Rhiannon Fortis UK Khan, Addiba HSBC Kitchin, Julie Jobcentre Plus Kumi, Anthony RSM Tenon Lamb, David Aylesbury Vale DistrictCouncil Lefevre, Irene Cigna Life Insurance Company McHugh, Matthew Deloitte & Touche Melluish, Helen Department for Work andPensions Moloney, Kevin South Coast Audit Murray, Fiona Birmingham City Council Pickering, Garry The Phoenix Group Ranger, Neil Xafinity Rashid, Shahid HM Revenue & Customs Safi, Irfan BT Group Salamon, Barbara Tearfund Self, Sarah Scottish Government Sharpin, Linda Tradex Insurance Shireen, Sidrah Global Crossing Slimming, James Towergate Partnership Stirling, Alexis Aberdeen Asset Management Thomas, Lisa Denbighshire CountyCouncil Tomkys, Nicholas RSM Tenon Viggers, Roderick BBSRC White, Pinar The Automobile Association Woods, Tracey

Lacy, Kelly Ann Home Office Lawes, Amanda Royal Borough of Windsor and Maidenhead Liveston, Kirsty Scott Moncrieff Lyons, Mark Travelex UK Martin, Edward Veritau McCarthy, Conor University College Cork McDowell, Andrew Schroders McGrath, Paul Simon Axa Sun Life AssuranceSociety McKenna, Fiona Department of Agriculture and Rural Development McNeil, Isobel Scottish Government Mearns, Vicki Department for RegionalDevelopment Mennear, Catherine Communities and LocalGovernment Metcalfe, James Essex County Council Miles, Neil Lha-Asra Group OKane, Stephen Northern Ireland Water Ovard, Neil John Warwickshire CountyCouncil Raine, Linsey Northumbria Internal Audit Rice, Michael Hansard Europe Robinson, James TD Direct Investing Saxton, Nigel American International Group Scott, Gavin The Aster Group Self, Sarah Scottish Government Semken, Timothy Veritau Shepherd, Anna Falkland Islands Government Shirley, Lana Transport for London Sloman, Anne Vale of Glamorgan Council Smith, Claire Business Services 17/4/12 Organisation 12:11 Snell, Mark Street, Anna Liverpool PCT Taperell, Alice ABC Taylor, Angela Yorkshire Building Society

Thomas, Elizabeth Deloitte & Touche Townsend, Jason Capita Life & PensionServices Towse, Mark Capital One (Europe) Trevallion, Nicola RSM Tenon Wood, Chris BT Group Yardley, Caroline Stockport Metropolitan Borough Council

Certificate (IACert)
Anwar, Irfan Department for Work andPensions Bagnall, Andrew GlaxoSmithKline Barker, David International Personal Finance Bird, Graham DX Group Bonner, Joanna Defence Internal Audit Boyle, Una Daikin Airconditioning Brown, Gerard Student Loans Company Byers-Coleman, Janet Met Office Carr-Jones, Roger English Heritage Clarke, Anulka Information Commissioners Office Clegg, Richard Ministry of Defence Dominey, Maria Information Commissioners Office Drury, Paul Transport for London Duncan, Liam Information Commissioners Office Heath, Victoria Information Commissioners Office Heaton, Janet Lloyds Pharmacy Hennessy, Laura Information Commissioners Office Honour, Steve Johnson, Keith Ecclesiastical Insurance Page 1John-Pierre Lamb, Information Commissioners Office Littler, Christopher Information Commissioners Office Mangan, Thomas Fin Sec & Audit

Matthews, Anthony HSBC McAllister, Penelope Jobcentre Plus McLuckie-Townsend, Jane Department for Work andPensions Moore, Bal Jobcentre Plus Moss, Katharine Katharine Moss Consulting Neal, Gareth Information Commissioners Office Oatway, Derek Horton Housing Association Pickering, Michelle Nationwide Quantick, Danielle General Dynamics UK Rawcliffe, Heather Department for Work andPensions Sheldon, Jennifer Bibby Distribution Stone, Jolyon Information Commissioners Office Tonks, Annette Ministry of Defence Topping, Karen Webb, Richard AWE Webb, Debra AWE Willis, Clive Chaucer Syndicates

IT Auditing Certificate
Hoy, Lindsey Axa Insurance Jones, Matthew Ageas (UK) Ray, David Blackburn Borough Council Rosser, Arran Torfaen County BoroughCouncil Solomon, Martyn Euler Hermes UK To find out how you can become qualified with the IIA,call 020 7498 0101, visit www.iia.org.uk or email studentsupport@iia.org.uk Disclaimer: although every effort has been made to ensure the accuracy of the above information, theChartered Institute of Internal Auditors accepts no responsibility for any errors or omissions.

Working with aspiring members of The Chartered Institute of Internal Auditors since 1989

Student noticeboard

Student noticeboard
Essential information for exam candidates. Visit the Student information centre at www.iia.org.uk for updates.
length of time for which the candidate will need special arrangements and confirm the required proportion of extra time required. Students who require special arrangements should ensure that they review the latest version of the policy, which can be found at www.iia.org.uk under Regulations and policiesin the Student information centre. Submissions must be made before any examentry application. registered to sit the November exams. Candidates will be required to present a copy of this, as well as a photographic identity document, on entry to the exam room. If you have not received your correspondence by 5 November, contact exams@iia.org.uk or call the assessment coordinator, Aneta Zieba, on 020 7819 1928. Pre-exam instructions will also be made available on 29October in the Student information centre at www.iia.org.uk. The authorityto-sit correspondence will remind students to read these instructions in the run-up to the exams. Further information about your exam venue is also

Past papers and thechief examiners reports

The past paper packs and chiefexaminers reports from the June 2012 session will be available from 10 September inthe Qualifications and CPD section of the Student information centre at bit.ly/pastexampapers.

provided on the Examinations page of the website.

Case study release for the November 2012 exams

Case study material will be released to candidates on 30 October. Materials for the IIA Diploma accelerated route and the IIA Advanced Diploma will be published online in the Student information centre. Students will be reminded of the release via email on 30 October, so they should ensure that their contact details are up to date. Visit the My profile section of the members home page at www.iia.org.uk.

Special arrangements policy

The IIA provides exam arrangements that take account of students special requirements, providing that requests are submitted before an exam entry application. Applications for special arrangements must: Include details of the circumstances surrounding thespecial requirements. Include the required amendments to the examarrangements. Include independent documentary evidence of the condition/circumstance that the application is based upon. Be made using the special arrangements application form. Documentary evidence should usually take the form of a doctors letter. It must confirm that the candidate is suffering from a particular condition, give specific details of the likely

37

Authority-to-sit correspondence
Correspondence will be sent on 29 October to students

November 2012 exams

Exams will be held from 26 November to 29 November. Module IIA Diploma P1 The Internal Audit Environment P2 Financial Risks and Controls P3 Internal Audit Practice P4 Information Systems Auditing P5 Corporate Governance and Risk Management P7 Internal Audit Practice Case Study IIA Advanced Diploma M1 Strategic Management M2 Financial Management M3 Risk Assurance and Audit Management M4 Advanced Internal Auditing Case Study IIA IT Auditing Certificate A1 IT Auditing Certificate Multiple-Choice Questions Monday 26 9.30am to 11.30am Monday 26 Tuesday 27 Wednesday 28 Thursday 29 2pm to 5.10pm 2pm to 5.10pm 2pm to 5.10pm 2pm to 5.10pm Monday 26 Tuesday 27 Tuesday 27 Wednesday 28 Thursday 29 Thursday 29 9.30am to 12.40pm 2pm to 5.10pm 9.30am to 12.40pm 9.30am to 12.40pm 9.30am to 12.40pm 2pm to 5.10pm November 2012 Time

>

Student noticeboard

<
Submission of professional experience journals (PEJs)
Individuals who have completed the theory modules of the IIA Diploma or IIA Advanced Diploma are encouraged to submit their PEJs as soon as possible ideally, electronically. Assessment of PEJs is completed within four weeks and successful submissions result in the award of the relevant designation. By submitting PEJs electronically and also requesting that signatories for their professional experience endorse such submissions electronically, it should save members and the institute time and money. Further information on the submission of PEJs, including the latest versions, can be found on the Qualifications and CPD pages of the IIA website under Completing your qualification .

IIA training courses & events

September
5-6 6
Auditing enterprise-wide riskmanagement (ERM) Dublin

For further information or to book, click the Training and events tab at www.iia.org.uk, email trainingandevents@iia.org.uk or call 020 7498 0101. IIA regional events and special-interest groups should be booked directly with the organiser using the contact details provided.

18

IIA North East: Project management/assurance leeds

bob.newbould@gmail.com

Data security and the Data Protection Act (DPA) London

19-20 20

9-10

A practical guide to evaluating risks and controls London

Heads of internal audit induction master class London

38

Heads of internal audit forum: Mergers and acquisitions opportunities and threats London

9-11 10 10

The internal auditors guide tostrategic thinking London

Internal auditing a beginners course york

IIA Scotland: Report writing Edinburgh

dawn.mcinnes@iia.org.uk

25-26

11

IIA annual conference 2012: Demanding the best from internal audit London

Auditing business continuity london

Assurance mapping thefoundations London

26 26 27

11-12 Your CPD

The Qualifications and CPD pages of the IIA website give details on the institutes CPD policy and members CPD requirements. One key requirement is that voting members monitor their professional development plans over the year. If you are a voting member, please take a look at the resources on the website and check that you are meeting your requirements. For any further information, contact the CPD team on cpd@ iia.org.uk or call 020 7819 1928.

Presentation skills for the less confident London

IIA Wales Cymru: High-performing internal audit functions Swindon

john.thomasson@iia.org.uk

IIA award in the effective delivery of audit and assurance York

11

11-13 12 12

IIA Midlands: Fraud Loughborough

ciiamids.events@gmail.com

Auditing the treasury function a practitioners guide LONDon

Internal auditing a beginnerscourse Surrey

11

Assurance mapping driving further benefits London

IIA Wales Cymru: How to catch a thief fraud, theft, risk management and internal audit Wrexham
john.thomasson@iia.org.uk

Seminar: Implementing thecloud benefits, challenges and risks for internal audit london

16

Ultimate persuasion techniques London

October
2-3
Leading the audit team London

Risk-based internal auditing apractitioners course London

13-14

16

IIA award in interpersonal skills for audit and assurance York

HIAS forum: Corruption is it on the audit radar? dublin

Looking for more? GO online

Visit www.auditandrisk.org.uk for more internal audit news and a range of resources to help you do your job.

39

16-17 17

IA award in information systemsaudit and assurance London

18 18

Networks a risk and controlsnapshot london

25

IIA North East: Fraud focus kicking fraud into touchforever? WAKEFIELD
juliewinham@barnsley.gov.uk

14

IIA Wales: Control frameworks master class swindon

john.thomasson@iia.org.uk

IIA Wales Cymru: How to catch athief: fraud, theft, risk management and internal audit Cardiff
john.thomasson@iia.org.uk

IIA Scotland: Environmental auditing Glasgow

dawn.mcinnes@iia.org.uk

31

IIA Midlands: IT and internalaudit Gaydon

ciiamids.events@gmail.com

17 17

18-19 19 24

HIAS forum: Social media risk and the impact on organisations london

IIA award in compliance audit and assurance london

November
1-2 9
IIA Scotland annual conference Dunblane
dawn.mcinnes@iia.org.uk

Post your event

Please state the event title,date, venue and contactdetails.

Getting to grips with risk London

How to audit procurement Dublin Fraud risk and the internalauditor LONDon

IIA regions and specialinterest groups may include details of their upcoming events by contacting trainingandevents@iia.org.uk

17-18

Risk-based internal auditing an audit management course LONDon

IIA/FAP annual conference London

The deadline for the November/December issue of Audit & Risk is 17 September.

We currently have the following vacancy:

Internal Auditor
35,938 - 38,140 pa with further progression to 41,639 pa on achieving designated skills and experience An exciting internal audit opportunity is available to an enthusiastic and motivated individual who thrives in a culture of change working within, and supporting, the University of Hertfordshire. The Internal Audit Service is responsible for evaluating and reporting the University groups arrangements for risk management, control and governance, value for money and providing assurance to the Governing Body and the Vice Chancellor. You will preferably be a qualified or part-qualified member of the Chartered Institute of Internal Auditors or a recognised professional accountancy body. You will have recent extensive experience of delivering a range of risk-based internal audit assignments. You will be able to work under pressure to tight deadlines and possess good communication skills, strong analytical and evaluation ability and good planning and organisational skills. Good report writing is essential. You will be able to deal confidently with senior management of the University group, staff at all levels in the academic and professional Strategic Business Units and the Universitys Audit Committee.

Under current UKBA regulations, the University is unlikely to be able to get a work permit in respect of this post. We can therefore only accept applications from people who will have the right to work in the UK for at least one year from the date of appointment. The University offers a range of benefits including a final salary pension scheme, professional development, family friendly policies, child care vouchers, waiving of course fees for the children of staff at UH, discounted memberships at the Hertfordshire Sports Village and generous annual leave.

Closing date: 21 September 2012

Ref: 009109CIIA

To apply visit go.herts.ac.uk/jobs

CRMA Global qualification

Only four months left to gain CRMA via the experience route
The Certification in Risk Management Assurance (CRMA) is aimed at experienced internal auditors and provides international recognition for expertise in delivering assurance on risk management, governance and strategy. Improving the risk management process is a top priority for internal audit. This is a fantastic opportunity add a qualification to your CV simply using your already hard earned achievements. Offered by IIA Global, the CRMA is currently available to IIA members in the UK and Ireland until 31st December 2012 via a Professional Experience Recognition (PER) route. Qualified IIA members (with PIIA or CMIIA) can use their qualification to gain points towards the CRMA accreditation. An exam to achieve the CRMA certification will be put in place in 2013.

For more information, visit www.iia.org.uk/crma or alternatively call 020 7819 1939.

Technology Risk Services

Location: Various across the UK Salary: competitive + benefits
At Grant Thornton UK LLP we have ambitious plans for the future. As part of the exciting times ahead, we now have various opportunities for people to join the team across the UK, including London, Birmingham and Bristol.

Roles
SAP Manager - London An exciting opportunity to help the firms SAP audit delivery capability to expand. You will have the opportunity to contribute to our methodologies, and to train and develop members of the team. The role requires strong organisational and communication skills and will provide the successful candidate with the opportunity to take responsibility for a wide-ranging existing SAP assurance client base, covering many sectors. Successful candidates will have strong technical expertise in SAP modules, and in performing BASIS reviews, segregation of duty assessments and data extraction analysis. IT Audit Executive Various office locations As the primary point of contact during field work you will be responsible for ensuring that all IT assurance work is carried out to the highest standard. This is a fantastic opportunity for experienced auditors (IT or financial audit) to join a successful and growing team. With exposure to a wide range of clients and a structured training programme in place you can look forward to growing a successful career. Experience We would like to hear from dynamic individuals with a passion for furthering their career within IT audit. For all roles successful candidates will hold either a professional accounting qualification (ACCA, ACA) or be qualified and experienced in IT audit (CISA, QiCA, CISM, IIA). Practice experience is desirable. To apply please visit grant-thornton.co.uk/careers quoting GT2459 for the SAP manager and GT2365 for the IT Audit Executive.

Background
Our Technology Risk Services team has ambitious growth plans and as a result we have new opportunities for aspiring individuals to join this highly respected team. You will join a refreshingly open and supportive environment where you can make a real difference. We pride ourselves on a creative culture that promotes independent thinking and rewards innovation.

grant-thornton.co.uk/careers
2012 Grant Thornton UK LLP. All rights reserved. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd. Grant Thornton International Ltd and the member firms are not a worldwide partnership. Services are delivered independently by member firms. Full disclaimer available at grant-thornton.co.uk

its all about understanding the risks

BDO is the award-winning UK member firm of the BDO international network, the worlds fifth largest accountancy organisation, with more than 1,000 offices in over 100 countries. BDO is building a strikingly different business, focused on exceptional client service. Employing exceptional people, the company culture helps them get on with the job, without needless bureaucracy. To continue the firms growth plans and strengthen client relationships, Internal Auditors are required to join our expanding Risk Advisory Services team, based in our London office. Internal Auditors will be required to work closely with senior members within the team. Engaging with a wide range of clients, you will have the opportunity to work on internal audit assignments of moderate complexity and variety; assess risks and apply internal control concepts, assessing the exposures resulting from ineffective or missing control practices. The ability to identify and define financial, operational and compliance risks and formulate recommendations which are proactive, practical and cost effective is essential. Documenting facts and information to support the work and conclusions is key, including evaluating audit results, weighting the relevancy, accuracy and perspective of conclusions against the evidence. To be considered for this role you must demonstrate previous internal audit experience, including having an up to date knowledge of relevant legislation. Ideally you will be CMIIA or CCAB or studying towards these or other equivalent qualifications. You will need to be flexible to travel on a regular basis locally with potential for wider travel. To apply for this role please apply online at: www.bdocareers.co.uk using Job ID 1382

For further opportunities within BDO please visit: www.bdocareers.co.uk

Get PIIA qualified

Sign up now for the IIAs comprehensive distance learning programme for the IIA Diploma to sit exams in June 13. Our programme gives you the structure you need to successfully complete your qualifications including: s s s s s Online support Committed and experienced tutors Consistently high pass rates Bespoke and up-to-date study materials Study support and revision workshops
Kick off your revision for the November 12 exams by attending one of our revision workshops.

Dont delay get qualified!

Contact IIA Learning: Tel 020 7819 1939 email learning@iia.org.uk www.iia.org.uk/learning

Tailored quality review services from the IIA

Guidance and support from the independent internal audit experts
From a free self assessment checklist to a full External Quality Assessment, IIA quality review services combine high quality feedback, flexibility and affordability. Find out more: www.iia.org.uk/quality 07966 494462 | chris.baker@iia.org.uk

corporate governance recruitment

London Senior Auditor London 55,000+Bens Regions Senior Technical Auditor Manchester To55,000+Bens
Our client, a large financial services organisation based in the North West of England, is looking for someone keen to join a growing, diverse business and form part of their expanding internal audit function. This is a high profile role and you will require a technical background in banking (specific experience in Treasury, Liquidity and Credit Risk an advantage) and the networking skills to positively influence senior stakeholders in the organisation.

IT Audit IT Internal Auditor London c.40,000+Bonus+Bens

This international asset management business is looking to recruit an IT audit professional to join their medium sized team based in London. Working on reviews of applications, infrastructure and project management this is an ideal opportunity for someone who has recently gained their CISA certification and is looking to progress their career in a high profile and well respected company.

Audit Risk Compliance Security Legal Treasury

London Edinburgh New York Dubai Hong Kong Singapore

An opportunity has arisen for a Senior Auditor to work in a historical Financial Services organisation in the heart of the City. You will be given exposure across the whole business, coupled with fantastic opportunities for internal promotion and movement into the business. Excellent academics and a relevant professional qualification are essential and experience in prudential regulations e.g. Basel III and Solvency II will be highly advantageous.

VP/Director London 80110,000+Bonus+Bens

Due to expansion and internal promotion my client is recruiting for two positions. One is for a fixed income and the other is for an equities audit specialist. You should have deep audit experience in one or both of these areas and will gain broad product and business exposure within the Investment bank. Both positions hold senior stakeholder relationship management responsibility and will have a major input into the annual audit plan.

Senior Internal Auditor North West To40,000+Bens

An exceptional opportunity has arisen to join a prestigious private bank who specialise in investment management. This role represents an excellent prospect for an ambitious hands-on auditor to join a small audit team where over time you will be able to develop your career. Supported by a bespoke package of training and support you will be given every chance to develop additional skills and experience across a range of business areas.

IT Auditor North To55,000+Car+Bonus+Bens

Excellent relationship management and technical IT audit skills, including reviews of online payments and website content, are needed for this well known Plc. This is an international role so all applicants must be prepared to travel. Applicants should be working at Manager level in a Big 4 firm or the equivalent within a large complex financial services or commercial business.

Senior Internal Auditor West of London To47,000+Car+Bens

This is an opportunity to take the first steps towards a rewarding career in a FTSE 30 energy group. You will be joining a large well regarded audit function with a real focus on training and development. Applicants must hold a full finance or audit qualification and be able to demonstrate experience of working with large multinational groups in either an internal or external audit capacity. Some UK travel will be required.

Internal Auditor Midlands To40,000+Car+Bonus+Bens

Our client, a large Plc which has recently undergone extensive restructuring, is seeking to appoint an Internal Auditor to report directly to the Group Assurance Director. You will deliver audits across financial and operational control areas. The successful candidate will be a qualified auditor with previous internal audit experience and an ambition to move into the business after 2 years; something this client actively promotes.

Senior IT Auditor Midlands c.35,000+Bonus+Bens

Working for this leading consultancy you will deliver IT audit assignments to a range of public and private sector clients. Your role will be to provide the advice necessary to help both internal and external audit clients manage IT risk. To meet the requirements of the post you must have IT Audit experience, ideally gained via another consultancy or in the public sector, and must hold a relevant IT Audit qualification.

Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW

Senior Internal Auditor London To59,000+Bens

We are currently recruiting for a market leading mutual organisation. Reporting to the Head of Assurance the position requires a professionally qualified self starter with experience of risk based auditing and end to end process reviews and the ability to influence senior management. The position offers the scope to shape audit methodology and the potential to present to the Audit Committee when required. For further details of positions in London/City contact Alexia Demetriou 020 7936 2601 ad@barclaysimpson.com

Internal Audit Manager North West To65,000+Bens

Given the continued success and growth of the business our client has decided to invest in a dedicated Internal Audit resource to ensure it appropriately manages its risk and has the assurance that its internal controls and processes remain fit for purpose. Using a consultative approach, you will have the gravitas and personality to quickly prove to the business the value an investment in internal audit can have on overall business performance. For further details of positions in the Regions contact David Jarrold 020 7936 2601 dj@barclaysimpson.com

SAP IT Audit Manager London c.65,000+Bonus+Bens

An exciting opportunity has arisen to take responsibility as the technical lead for all SAP IT Audit work at a leading consultancy. Working with mainly large corporate clients you will lead small teams on internal and external audit work, provide advice on SAP risks and assist in the promotion and growth of the service line. This role offers a great chance to develop your career towards a Senior Manager post. For further details of positions in IT Audit contact Daniel Flynn 020 7936 2601 df@barclaysimpson.com

020 7936 2601

Barclay Simpson Scotland 910 St Andrew Square Edinburgh EH2 2AF

0131 209 7850

bs@barclaysimpson.com www.barclaysimpson.com

Scotland Head of Audit Change Edinburgh Six figures

Our client is a well known retail bank looking to recruit an experienced audit professional to take charge of a major part of the change audit plan focused on legal and regulatory change. You will work with a number of key stakeholders across the business to ensure that multi-million pound change programmes have appropriate controls in place. For this role you will require previous change or project assurance audit experience.

International Treasury Audit Manager New York $100150,000+Bens

Joining a newly created Treasury Audit function this high profile role will see you lead, establish and maintain Treasury Audit programs. Specifically you will manage audits across ALM, Credit risk, Capital Management and Stress Testing and work with senior management to identify key risk issues. Detailed treasury product understanding is essential and you must have unrestricted authorization to work in the USA.

Nationwide Interim Opportunities

Surrey London London Central London Surrey London Scotland London London South-East Senior Auditor Senior Auditor General Manager Audit Manager Senior Auditor IT SOX Auditor Audit Manager IT Auditor Markets Auditor Principal Auditor Commerce Investment Banking Commerce Energy Insurance Investment Banking Central Government Banking Consultancy Central Government 250 per day 400 per day 75,000 pro-rata 60,000 pro-rata 350 per day 425 per day 60,000 pro-rata 450 per day 500 per day 44,000 pro-rata

Senior Internal Auditor Edinburgh 40,000+Bens

This role will involve delivering a mixture of general controls assurance work and specific projects on behalf of a major global consultancy. Based in Central Scotland you should have the flexibility to travel on a local basis. On offer is an exciting and challenging career which will give you the chance to work with some of Scotlands most dynamic businesses. Applicants must be professionally qualified with first class communication skills.

Corp. Governance Manager Zurich area Competitive package

This truly international group operating globally in the manufacturing sector is looking for a versatile Corporate Governance Manager to work on a wide range of projects involving Governance, Risk Management and Compliance. You will benefit from high exposure to the top management of the group globally and work on highly strategic projects. Candidates who wish to apply must be already based in Switzerland.

Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte aw@barclaysimpson.com

www.barclaysimpson.com/interimsolutions

IT Audit Manager Glasgow 45,000+Bens

This position will involve undertaking IT risk and control reviews across a range of different areas within a major banking group. You will plan, deliver and review work, agree follow up actions and run workshops designed to bolster awareness of IT risk across the business. As you will work with stakeholders at a variety of different levels, strong communication skills and a sound knowledge of risk and control is required. For further details of positions in Scotland contact Liam Hughes 0131 209 7850 lh@barclaysimpson.com

Senior Internal Audit Manager Hong Kong ToHK$1.4million+Bonus+Bens

Our client, a luxury goods company, has enjoyed significant growth in recent years. This growth is set to continue as Asia operations expand. Reporting to the Group Chief Auditor you will lead the Asia audit team. You will devise and execute the Asia audit plan and assist the business in deploying improved business processes. Significant travel within Asia and hands-on audit work is expected in conjunction with managing the Asia audit team. For further details of International positions contact Marie Marchi 020 7936 2601 mm@barclaysimpson.com

Mid Year Market Report 2012

Up to date overview of the economy and its impact on corporate governance Sector analysis of the demand for internal auditors Review of salaries Outlook for the future
Download your free copy at: www.barclaysimpson.com

Visit www.barclaysimpson.com to access a vast range of free online resources

Search hundreds of audit vacancies Find your current market value Information on where best to live and work Focus on Computer Audit Latest information on qualifications
Barclay Simpson has been awarded the Diversity Assured Recruiter accreditation under the RECs Diversity Initiative.

For more details visit: www.barclaysimpson.com/equalopps

corporate governance recruitment

Data Analytics/CAATs Internal Audit Manager

South East England or Houston, Texas /$ Excellent + Bonus
Our client is listed on both the London and New York stock exchanges and is a household name operating globally. Heightened regulation and a commitment to develop its UK and US data analytics internal audit function has led to an excellent opportunity for a CAATs & Data Analytics Internal Audit Manager who can be based in their offices in South East England or Houston, Texas.
You will be a subject matter expert in Data Analytics and Computing Aided Auditing Techniques (CAATs) with detailed knowledge on a variety of technologies. You will have the experience to train UK and US based auditors in the usage of CAATs and support senior management in its roll-out. Ideally you will also have experience in managing strategic relations with technology providers. This role offers an excellent compensation package and long term career opportunities. All applicants considering the role in Houston, Texas must hold a valid US work visa.

For further information on this role please contact Daniel Flynn at df@barclaysimpson.com for the UK based role and Daniel Close at dc@barclaysimpson.com for the US based role.

Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW bs@barclaysimpson.com www.barclaysimpson.com

020 7936 2601

www.barclaysimpson.com