Académique Documents
Professionnel Documents
Culture Documents
RIP ethics?
I s s u e 2 N o v e m b e r / D e c e m b e r 2 0 11
Turning risk appetite into an opportunity Shock tactics: dealing with geopolitical risk Lean on me: could mentoring boost your career? New voices: meet the institutes incoming officers
www.symrisk.com/videos
Copyright 1999-2011 Symbiant. Leeds LS1 4LT. UK. Celebrating 12 Years of award winning software solutions
web: www.symbiant.co.uk
Contents
12
24
18
Published for the Chartered Institute of Internal Auditors by Caspian Media Ltd. Editors Ruth Prickett ruth.prickett@caspianmedia.com 020 7368 7170 Alice Hoey alice.hoey@caspianmedia.com 020 7368 7151 Chartered Institute of Internal Auditors info@iia.org.uk www.iia.org.uk 020 7498 0101 Subscriptions membership@iia.org.uk 020 7498 0101 Advertising Lisa Govier lisa.govier@caspianmedia.com 020 7368 7133 Ian Mehrer ian.mehrer@caspianmedia.com 020 7368 7114 Creative director Nick Dixon Art editor David Twardawa Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited.
20
Front
3 The IIA view
From the CEO, Ian Peters.
Features
12 Bad company
Internal audits role in tackling corporate malpractice in the UK.
REGULARS
30 Tools for the job
Resources, books, adviceand guidance to help youperform.
4 World view
From Richard Chambers, IIA Global president and CEO.
16 Seismic precautions
Why geopolitical risk affects all organisations, wherever they operate in the world.
20 Healthy appetite
How risk, properly managed, can become less of a threat and more of an opportunity.
7 Feedback
Readers comments.
33 Getting qualified
Crucial exam information.
8 Update
The latest news affecting the profession.
24 New voices
Introducing IIA president David Reynolds and his deputy, Nicola Rimmer.
10 Vital statistics
The latest research findings on the effectiveness of non-executive directors.
28 Crime Inc
How Falkirk Council tackled organised criminals.
40 Moving up
People and posts.
Provide concise and clear online graphical reports direct from the audit database Guides auditors through and enforces the audit methodology using tailored work plan library Enable the focus of audit work on risks identified from integrated risk registers Save time by automating the interaction with business management to achieve efficient action tracking workflow. Automatically generate draft and final audit reports in Word format
Web based audit interface or laptop interface with checkout allows audits to be performed from any location
Pentana
We will discuss your requirements to focus specifically on how our integrated, comprehensive and configurable audit management software can benefit you. By focusing on our specialist area and through continuous innovation we are able to equip you with the automated tool set required. This provides you with a wider view of your organisations activities and meeting your immediate and future needs.
Talk to one of our experienced audit consultants and take a demonstration with a difference.
You will soon see we go that extra mile so you can achieve more from your automated audit management solution.
In the launch issue of Audit & Risk (September/October) I was keen to stress that the internal auditing profession has much to debate about its role, tools, techniques and practices. Our annual conference, which took place at the end of September and had a theme of Driving business value, proved an effective platform for such discussions. The first morning was designed to seek perspectives from a range of internal audits stakeholders, so we heard the views of JannBrown, managing director and chief financial officer at Cairn Energy; Colin Day, audit committee chairman at AMEC; and Mark Carawan, chief internal auditor at Citigroup and a member of the institutes council. They discussed internal audits position as a strategic partner to the business and concluded that such a role will go a long way towards meeting the needs and expectations of our professions stakeholders. It will truly unleash internal audits value to the business. But getting there requires a push on two fronts. Individual practitioners, particularly heads of internal audit, need to focus more on engaging with their boards and audit committees, understanding their needs and in turn ensuring that they understand what internal audit can do for them as a business partner. And the institute, as the voice of the profession, needs to raise its profile and increase its influence. This is what we are aiming to achieve with our efforts to communicate with business leaders and policy-makers, both directly and indirectly through our media relations work. Our relationships with key media contacts are
getting stronger. This is demonstrated by the significant publicity we gained for the results of our survey of heads of internal audit and their relationship with non-executive directors on the management of risk (see Reportage, page 10). Some of those results also feature in the article on page 20, which discusses the transformational effect of managing an organisations risk appetite. But, as the article points out, our survey showed that many organisations could substantially improve their approach to risk appetite and indeed their understanding and application of risk management.
Individual practitioners, particularly heads of internal audit, need to focus more on engaging with their boards and audit committees
To achieve this, leaders in organisations still need to understand that the correct tone at the top is crucial to drive a strong culture of risk management. Leaders create that
tone as much by their own ethical behaviour as by the policies they set. What they do is as important as what they say. This applies equally to the private and public sectors. Therecent concerns about the judgment and behaviour of the former secretary of state for defence are a topical example. His use ofa friend as an unofficial adviser was clearly wrong. Hewas warned about the risks by those responsible for governance in the MoD, yet he did not respond appropriately. That particular issue has reached the only correct conclusion, but the broader debate about establishing ethical behaviour continues. The challenge for leaders is to create the right tone at the top. The challenge for internal audit is to be aligned as a partner to support its delivery. I hope the articles in this edition prove a useful contribution to your knowledge about the issues and a source of information about how practitioners are tackling some of these. Our launch edition seems to have met its objectives, judging by the feedback we have received so far on the print magazine and its new website. Thank you for your views, observations and suggestions for its further development.
Whenever I travel, I meet internal auditors with a similar vision. The words vary, but the message is clear: How can internal auditors get a seat at the table? What is IIA Global doing to help internal auditors become recognised and accepted as a part of senior management? We have more work to do in this area, and most of this must be done by individual internal auditors who are not yet seen as part of their organisations senior management team.The problem is that many of these people are unaware of all the steps necessary to achieve their vision. Having a seat at the table is an admirable goal, but first its important to examine why you want to be there.Too often, internal auditors treat getting to the table merely as a sign of success.This is a mistake. We must be there for the right reasons, not because we hope that being with senior executives will make others view us as senior executives. A seat at the table is a means not an end and if you dont prepare for it you may damage, rather than enhance, your career. Its also a mistake to view a seat at the table as a source of audit leads. If you leave your first management meeting with plans for an immediate audit of the operating unit discussed at the meeting, you may not be invited to the next one.You need to add value, not prevent others from talking freely. Management will benefit from our being at the table only if we are prepared to share, not just to listen. It is similar to being guests at a dinner party: we want our hosts to invite us back. It helps if we bring something fresh, interesting and important to the discussion. Focus on how to make operations better in
the future, not on mistakes made in the past, and so provide not just hindsight, but also insight. The table is not a training ground. We need to be able to discuss critical strategies and business risks facing our organisations. It is vital that we understand our organisations core business and are aware of both internal risks and external factors affecting our industry. If we dont bring our own perspectives, we wont add value. And we must be able to defend our views by ensuring we fully understand the discussion. Most internal auditors can offer such valuable insights long before they are invited
The table is not a training ground. We need to be able to discuss critical strategies
to the table, because getting there usually comes about through the relationships theyve built. Its not what we write in audit reports that gets us to the table its what we do and how we interact with management every day. Senior executives will want us there if they respect us and see us as knowledgeable, trusted advisers. Cultivating
strong working relationships involves being aware of the issues keeping management awake at night. By the time most internal auditors are at the table, they no longer see management meetings primarily as sources of leads for audits because they are already fully informed on subjects likely to be discussed. Adding value at the table requires a different perspective from the one we use as internal control advisers. Most internal auditors can discuss internal controls for a new strategic initiative, but when management discusses the feasibility of such an initiative, controls may be just one facet of this.To act as senior management we must also add value to other parts of the discussion. An important part of IIA Globals strategic plan is to support internal auditors across the world in their quest to obtain a place at the table. We can advocate internal auditors and promote the value of internal auditing, but decisions over the scope of the role are made by organisations. Each internal auditor must therefore demonstrate the insight and capabilities to participate in their senior management team. Knowing what we want to accomplish and preparing diligently greatly increases our chances of getting there.
The Chartered Institute of Internal Auditors has made significant progress in recent years. In my new role on the IIAs council I want to ensure that the institute continues to lead and promote the profession and the services it offers to both existing and prospective members. Im aiming to develop close relationships between IIA headquarters and the regions and to stay in touch with local members. Its essential to ensure that their needs are being properly considered when developing strategy and implementing improvements. In light of the current economic conditions, one of the key challenges for the IIA is to attract new talent to the profession while retaining existing members. The institute is working hard to expand and improve the services it offers through the delivery of its Essential to success strategy, which will help to address some of the challenges it faces. Other key tasks for the internal audit profession as a whole include keeping up to speed with regulatory developments and understanding business risks arising from the euro crisis and the effects of Solvency II. This issue of Audit & Risk includes a feature on a recent report by the Institute ofRisk Management (IRM) that highlights theopportunities that can exist for organisationsin setting and managing risk effectively (page 20). It is vital that organisations understand the level of risk they are exposed to and factor this into all of their decision-making so that they understand what could go wrong and the impact that might have. But this should not prevent risks or opportunities from being taken as long
One of the key challenges for the IIA is to attract new talent to theprofession while retaining existing members
astherisks are clearly understood. I believe itsessential for all successful organisations to build risk appetite into their strategies, systems and processes. For all key risks thereshould be specific tolerance criteria agreed by boards and audit committees, which are then reviewed regularly. As the IRM paper outlines, responsibility for risk management lies with all employees in an organisation and the organisational culture from the topdown should reflect this. People could be rewarded for highlighting risks and suggesting solutions to address these. Another option might be to include responsibility for risk management in employees job descriptions and employment contracts. Internal auditors are well placed to provide advice and guidance, working with the business to aid the establishment of an appropriate framework. Inaddition, they can conduct
periodic reviews to ensure that the framework has been embedded. One of the risks highlighted in this magazine (on page 12) and in several other publications lately hasbeen that of individual malpractice. Malpracticewill always remaina risk and, in my experience, it variessignificantly across organisations. There is a view that this risk mayincrease as aresult of the current economic conditions, but well-designed systems and processes with effective controls should minimise it. Organisations should, wherever possible, bemaking best use of the available technology in order to combat malpractice efficiently and effectively.
Subscribe to HIAS today and get 15 months HIAS membership for the price of 12.
Closing date for receipt of applications is 4 January 2012.
Feedback
We want to know what you think of the new Audit & Risk magazine and of the www.auditandrisk.org.uk website. These are edited versions of some of the comments weve had so far, but wed like to keep the conversation going and to find out what you want to see in future issues. Please let us know by commenting on individual stories on the website or by joining the discussion forum in the knowledge centre at www.iia.org.uk
First impressions are often deceptive: smaller, fewer pages and where have the page numbers gone? Then it starts to sink in. OK, so the new magazine is smaller, but so is the type and there are fewer big pictures and it feels more like content. Theres more of an edge to the look and it feels more incisive and engaging. The graphics are more current and reflect a more hands-on approach. Somethings happened to the paper as well. No longer is it glossy and glam. Now it feels more purposeful. Then you come to the content. It has a news-like presentation and is to the point. We no longer have people sharing their views, but now we have words by. It also feels as though these writers are real auditors and HIAs. Even the stalwart Neil Hodge I like his work seems to give a more punchy, but considered, perspective. And the postscript information thats provided is also good if Im interested in pursuing further research on an item, I have a starting point. Oh yes, and the page numbers were there at the middle on one side. Right under my thumb. Overall, then, I think its brilliant. Well done, Dr Peters and the IIA team. Its a really professional magazine for our chartered institute. Rogue Trader A change is as good as a rest and I quite like the look of the magazine. It feels and looks a bit like Management Today. The magazines website looks OK and Ill get used to finding things on it, but having two websites to go around seems less user-friendly. For example, where do I go for the latest information and news: the magazine website or the main institute site or both? A magazine every two months and an extra website that initially seems to replicatethe content of the magazine and some of the main IIA website doesnt feel like a wonderfulimprovement or fair swap to me at this stage, but I hope that Ill be convinced by the improved quality of the content as time goes by. Chessh Overall, its a modern magazine for our profession. Its less glossy and more matt and Economist-like. Many readers will still turn to the back pages first, but they will also find a clearer diary of audit courses and events. Maybe in future a PDF or iPad version would allow people to choose whether they wanted the physical magazine any more. But,whileIm not averse to having separate websites, the location of this forum on www.iia.org.uk is a contradiction. The change is appreciated, though. Hainba I like the layout and style. Mind you, I also liked the old-style magazine. Im also happy with it being published every two months, since the articles can seem rather repetitive at times. But I dont understand why some jobs are advertised in the magazine that are not on the IIA site. Ifanything, I would have expected it to be theother way round. Simon An interesting article, as ever, from Lord Smith (Eyes wide open), although I havenever really seen myself as a canary. Still, its better than being a dodo. Aidan This role requires a balanced approach and real bravery (Eyes wide open). I couldnt agree more, but the canary in the mineshaft was sacrificial: when it dropped off its perch the miners knew there was too much methane in the air and they should get out. I dont think many people would want a career in internal audit if our demise was the first indicator that a business was in trouble. Thats the trouble with metaphors. Sarah I like the quality and size of the magazine. I also like the technical Q&A session, which should encourage more internal auditors to use the online forum facility that the institute provides. John
I have never really seen myself as a canary. Still, its better than being a dodo
UPDATE
We round up the latest business and regulatory news to affect the internal audit profession.
Cyber threats forecast for 2012
Next year will see new and increasingly sophisticated means of capturing and exploiting user data, as well as a battle forthe control of online information, according to internet security experts. The Georgia Techemerging cyber threats report for 2012 has identified anumber of trends thatwill become increasingly important for organisations to manage. Key issues include the lack of security surrounding mobile applications; the increased threatof botnets (networks of compromised computers used for malicious purposes); the risks facing users of cloud computing; and how information needs to be controlled online.
audit plans that they could not address properly owing to a lack of resources and expertise. The survey confirmed that the smaller the company, the less likely it was to have an IT audit function: 43 per cent of companies turning over less than $100m a year had no such department. Of organisations withannual revenues of $100m to $1bn, 82 per cent did not have a designated IT audit director or an equivalent role. Protiviti also found that nearly 70per cent of North American companies and nearly 80 per cent of
companies in Europe, Africa and Asia had not completed an evaluation and assessment of their IT governance process, as outlined in the IIAs standard 2110.A2. Mark Peters, UK director at Protiviti, said: If an internal audit function is not thinking about IT governance, IT risks and conducting an IT risk assessment, it should be. The increased use of, and demand for, technology and data compel companies to review how they are used and the risks this creates. For more information about the survey, visit bit.ly/qH2pxF
problem is not a lack of information, but a lack of properly focused information. Guidelines on how companies should report their risks would be a huge step. The FRC is not the only body working to make corporate disclosures more useful. The International Integrated Reporting Committee (IIRC) a group representing businesses, accountants and investors has published a discussion paper calling on companies to publish more comprehensive and meaningful information about all aspects of their performance in a more concise and user-friendly format. The paper also offers initial proposals forthe development of an international integrated reporting framework. For more information about the FRCs plans, visit bit.ly/p6XU96. The IIRC paper can be accessed at www.theiirc.org
71%
of HIAs can see substantial scope for improving the understanding of risk across their organisation.
REPORTAGE
Heads of internal audit overwhelmingly believe that the quality of non-executive directors (Neds) and the importance of their role have increased in recent years, according to an IIA survey of more than 200 HIAs. But the findings covered by a range of media, including the Financial Times and BBC Radio 5 live also show that theres still a long way to go in improving board-level risk management in many organisations.
66% 28%
of HIAs said their Neds had an average or poor understanding of their companys operational risks.
Key issues
32%
Many Neds fail to probe risks and a significant minority lack the necessary independence: of HIAs said the Neds on their board did not scrutinise risk adequately and17 per cent reported that they did not believe their Neds operated independently enough to challenge the executive management team.
11
28% 63%
Neds analysis of risk may be too narrow: of boards surveyed had no formal process to determine how much risk the business should be prepared to take on and paid too little attention to operational and compliance risks.
In many companies, reviewing risk is left entirely to the audit committee: of respondents said that audit committee members alone had contact with the internal audit team. Consequently, other Neds may be missing a chance to bring their knowledge and experience to bear on crucial risk issues.
Boards scrutiny of risk management still needs to become more robust. This must be the number-one lesson from the financial crisis
Ian Peters, chief executive of the IIA.
12
Backhanders. Bungs. Kickbacks. Payola. Backsheesh. Theres no shortage of slang to describe the dark arts of corruption. Yet such expressions arguably take the sting out of what is, potentially, an increasingly serious problem. According to a recent report by Transparency International, a non-governmental organisation that monitors malpractice, the UK doesnt take the threat of corruption seriously enough. It is clear that there is systemic complacency about corruption in this country, even if the problem is not endemic, says Chandrashekhar Krishnan, executive director of Transparency International UK. Companies with internal auditors are generally well run and less likely to tolerate or perpetrate crimes such as fraud, bribery and corruption. But theres no such thing as a zero-risk environment. And, while most cases of corporate malpractice involve very small numbers of people, the penalties and reputational impact can be serious. Companies with overseas operations face particular risks. This is highlighted by a recent High Court case inwhich the Serious Fraud Office (SFO) took action against Macmillan Publishers Limited (MPL). The initial inquiry started after a report from the World Bank: anattempt had been made by an agent to pay asum of money with a view to persuading the award of a World Bank-funded tender to supply educational materials in South Sudan. MPL was ordered to pay more than 11m in recognition of sums it received, generated through unlawful conduct related to its education division in east and west Africa. This case is one of a growing number pursued bythe SFO under civil, rather than criminal, proceedings. It represents a new and morelenient approach but civil settlement is an avenue that isopen only to companies prepared to step forward and co-operate. Adopting this approachallows businesses to limit the damage if serious wrongdoing is discovered. Were not looking to put anybody out of business, says Jane de Lozey, a senior lawyer at the SFO. But we are looking to stamp out fraud and corruption. What we are offering is a degree of pragmatism and commercial awareness, and were promising to listen. If companies have a genuine intent to clean up their act and to put in place proper procedures, we will work with them to achieve that.
Overlooked and under-reported, the true extent of corporate malpractice in the UK is an unknown quantity.
Words: John Coutts
Bad company
While most cases of malpractice involve very small numbers of people, the penalties and reputational impact can be serious
13
14
Like an individual person, a company canbe charged, tried, found guilty and sentenced. A criminal conviction for a business can spell disaster, in some cases barring companies from EU procurement contracts. A civil settlement, by contrast, allows justice to be done without sinking theorganisation in the process. The real extent of corporate crime remains a matter of guesswork. Few official statistics are compiled none in the case ofbribery. But figures provided in response to a parliamentary question in 2009 revealedthat in the ten years to 2007, an average of 12 people each year were convicted under bribery and corruption legislation. This figure is considered low by international standards. Despite the enactment of the Bribery Act 2010, few experts envisage an upsurge in convictions for corruption, at least for acts of bribery committed within the UK. But the new legislation essential in fulfilling the UKs obligations under the OECDs antibribery convention widened the net considerably by creating a new offence of a failure by a commercial organisation to prevent a bribe being paid for or on its behalf.
Significantly, organisations with adequate policies and procedures in place tocounter bribery are able to offer this as adefence under the new act. Providing assurance to the board, via the audit committee, that those policies are being administered effectively is a key role for internal auditors.
Remote control
Keeping tabs on operations outside the UKpresents a challenge especially in remote locations because, in many cases, companies have to make use of people whoare not employed directly by them. Rigorousselection and oversight processes are essential, therefore. Weve always had a robust process thatwe go through before we sign on any intermediaries or third parties to work on ourbehalf, says Audrey Coutinho, global director for internal audit at publisher ReedElsevier. That means working with people who align with our code of ethics andcode of conduct. But, to a great extent, we make sure that we have our own people on the ground. This gives you far greater controland better audit visibility.
Successful businesses recognise that a zero-tolerance approach is the only way. Thatmeans continuous monitoring and being prepared to take decisive steps, including contract terminations. If you have a gut feeling that something isnt right or if you dont like the way a particular agent is working, find somebody else you are happy to work with, says Coutinho. Its a far more proactive approach than waiting for something to happen. Preventing fraud and creating a climate that limits opportunities for wrongdoing is amanagement function. The role of internal audit is to test that the controls in place to identify and minimise corporate malpractice are working correctly. In the case of BT, that process starts the moment new recruits walk through the door. Staff are expected to abide by the companys code of ethics, set out in a document called The way we work. Regular training and testing is mandatory. Everybody, no matter who they are, hasto complete that training, says James Grigor, director of internal audit at BT. My team provides independent assurance that thisis being delivered effectively.
The role of internal audit is to test that the controls in place to identify and minimise corporate malpractice are working correctly
too afraid to call a stop for fear of revealing hospitality thats already been received. Whats clear is that corruption, particularly in its early stages, is notoriously hard to spot. So what are the warning signs that internal auditors should look out for? One of them is evasive or unnecessarily complicated answers to straightforward questions, says the SFOs De Lozey. Other things to watch for are people who keep cancelling meetings with you and employees who refer everything upwards. A determination to leave no stone unturned is critical in such situations. Be suspicious in cases where copies of documents are provided to you and you are told that the originals are lost, and scrutinise unusual transactions, De Lozey advises. Be aware of any change of auditors and accountants, particularly from one of the large firms to a much smaller one. Internal auditors should also be on the lookout for unusual advisers people or organisations you would not expect to find acting as intermediaries on a particular deal, perhaps because the firm is one youve not encountered before, or one that does not have a reputation in the relevant area.
In large organisations BT employs about 100,000 people good communications are at the heart of sound corporate governance. The success of any audit team depends on how it engages with other stakeholders in the organisation, Grigor stresses. So our relationship with the governance teams, the compliance teams, the security teams and investigations teams is essential. With those functions working together, you create an environment that is tangibly robust to the threat of malpractice.
Lapdog souchong
In well-run businesses, the primary consideration is making sure that corruption is not allowed to take root in the first place. That starts by recognising that malpractice can be a tough nut to crack and it can all start with a cup of tea. Transparency International highlights the practice known as grooming , in which employees involved in procurement are systematically compromised, with cups of tea giving way to corporate hospitality tickets to events and promises of holiday accommodation on the understanding that a particular bidder is favoured. The ramping up of bribes is one of the hallmarks of grooming. By the time large inducements are offered, employees may be
Generally, the use of introducers and anything labelled a commission payment must be scrutinised very carefully, De Lozey stresses. Significant commission payments those outside the industry norm should ring alarm bells. In one case, a company was being run fraudulently and had listed in its accounts sales commission payments to bogus members of staff. If anyone had checked the list of current employees, they would have seen that these names werent ofthis firms members of staff; they were employees of the large company that they were corrupting, and bribing. The difficulty with tackling any fraudulent activity, on any scale, is that the people involved will usually be highly adept at covering their tracks. While theres no magic bullet, persistence by internal auditorspays off. You have to be prepared to dig around, says De Lozey. Be a nuisance and never accept the glib answers that people give you.
15
Fraud
An act of deception intended for personal gain or to cause a loss to another party. The offence can include deception whereby someone knowingly makes a false representation, fails to disclose information or abuses their position.
Insider trading
In financial markets, this occurs when an insider deals, or attempts to deal, on the basis of precise information that is not generally available.
Corruption
A broad term covering a wide range of illegal activities, including those such as bribery, in which private gain is obtained atpublic expense. Transparency International defines corruption as theabuse of entrusted power for private gain. Ithurts everyone whose life, livelihood or happiness depends on the integrity of people in a position of authority.
Kickback
That part of the value of a contract demanded as a bribe by an official for securing the contract.
Conflict of interest
This arises when an employee has an economic or personal interest in a transaction.
Illegal gratuity
In effect, this is bribery after the event: giving or taking something of valueafter a transaction iscompleted in acknowledgment of influence over thatdealing.
Cartel
An agreement between two or more businesses not to compete. The Office of Fair Trading notes that
Price fixing
An agreement, usually by suppliers, to sell only at a fixed price (see Cartel). Some types of price fixing are legal.
Corporate espionage
This includes the theft
Seismic precautions
16
This year has provided several reminders that cataclysmic events can occur even in the most developed and stable markets and that the aftershocks can befelt around the world. How well prepared is your organisation for geopolitical risks?
Words: Neil Hodge Main Photograph: Sebastiao Salgado/ nbpictures
The Japanese earthquake and tsunami in March closed the worlds largest market for producing and shipping components, from car parts to computer chips, for weeks. Companies such as Apple which sourced mostof the parts for its iPad and iPhone devices from Japan had to scramble to find alternative suppliers. Meanwhile, revolts in north Africa and the Middle East escalated throughout the spring, reminding companies around the world of the potential dangers for their operations in these markets and demonstrating the damage that political instability can do to production. It is hardly surprising, therefore, that geopolitical risk is a hot topic on the boardroom agenda.This is putting pressure on internal auditors to keep abreast of the new threats and their potential consequences and to challenge management thinking about them. Some industries are more experienced at identifying
The oil and gas sector has operated in high-risk countries ever since drilling began
}
Case study: from prime destination to last resort
Tourism is an industry thats particularly vulnerable to geopolitical risk. Keeping a check on political trends is important to us, as we have hotels worldwide, many of them in high-risk countries in Africa, Asia and Latin America, says the director of security at a leading hotel chain. He says that the groups security management strategy hinges on sound intelligence and information-sharing. Many of the companys security experts have a background in military intelligence. We rely on local expertise to tell us of any threats that may affect our hotels or guests and staff. For example, we had tip-offs five days in advance that the protest in Tahrir Square in Cairo would be met with military force on Friday after prayers. This gave us time to plan and enforce security around our buildings and to advise guests to stay indoors. He says that the Hotel Security Working Group a collaborative group of security chiefs in the worlds biggest hotel chains, including Marriott and Hilton, which is sponsored by the US State Department also provided invaluable guidance. We picked up practical advice from heads of security at other hotel groups that we could compare with our own assessments of the situation. Thisgave us a clearer indication of whether our information was accurate, what actions our rivals were taking and what advice the State Department and the UK Foreign and Commonwealth Office were providing. He believes that such information-sharing arrangements are vital for managing geopolitical risks, adding: Other industries are seeking to set up similar working groups to address these kinds of risks and improve their contingency planning.
Crude tactics: it took nearly a year to extinguish all of the 600-plus Kuwaiti oil wells set ablaze by retreating Iraqi forces during the first Gulf war in 1991.
17
In Egypt Danone had to close its operations for a fortnight while it offered expat workers the chance to repatriate during the uprising
and managing such risks than others.The oil and gas sector has operated in high-risk countries ever since drilling began. BPs board, for example, reviews its key group risks and how they are managed every year as part of its annual group plan. It decides which geopolitical risks it will monitor and which will be allocated to other committees to oversee, with appropriate reporting back to the board. UK airports operator BAA also puts geopolitical risks high on its agenda. It says that unanticipated long-term changes in demand for air travel could lead to misaligned operational capacity. The company conducts a series of scenarioplanning exercises to ensure that it can react effectively to adverse contingencies.
What could possibly go wrong? BAA uses scenario planning to inform its geopolitical risk management strategy.
18
But companies in less obviously dangerous sectors can also be exposed to such risks. French yoghurt company Danone, for example, identifies geopolitical events among the factors that could substantially affect the price of its raw materials for products and packaging. Price volatility will hit the groups financial results, particularly if it cant pass cost rises on to customers. Danone recently expanded into the Middle East and north Africa, but its plans have already hit problems. In Egypt, for example, the company had to close its operations for a fortnight while it offered expat workers the chance to repatriate during the uprising. Its ability to move dairy cattle was disrupted and three of its cows died while waiting for transport. Danone says the problems could have been worse, but adds that it is very aware of the increased political risk of operating in such countries. Yet organisations in some sectors still underestimate the potential impact of geopolitical factors, believing them to be relevant only to high-risk and cash-intensive industries such as mining, defence, energy and tourism (see panel, previous page). Furthermore, companies often think they will suffer littledirect impact if they have no operations in dangerous parts of the world.
In brief
The bad news: geopolitical risk affects all companies, no matter where they operate, through its effects on the global economy and on extended supply chains. While businesses in sectors traditionally perceived as risky tend to monitor and analyse geopolitical risk well, too many see it as irrelevant. This could prove a costly mistake. The good news: internal auditors have a large part to play in raising the profile of these risks at board level and helping to establish monitoring and control processes. Effective actions to mitigate risk need not cost much, although accurate data is vital.
This is a big mistake, according to John Abbott, head of corporate risk advisory services at professional services firm RSM Tenon. Mid-market businesses suffer from the macroeconomic effects of geopolitical risk, such as increased fuel and commodity pricesand lower disposable incomes in emerging markets, which can reduce consumer spending, he says. Geopolitical risk can even affect entities that operate in theUK only. Furthermore, Abbott warns, many mid-market companies are exposed to risks in countries such China because of supplychain problems.This is why the chances of political and environmental turbulence need
Geopolitical risk can even affect entities that operate in the UK only
to be factored into all organisations strategic risk assessments. Internal auditors should ensure that this is done properly with board involvement. For example, he says, organisations may now need to ask will the new regime in Libya be a more or less stable business partner? And how do I deal with my Japanese supplier in the wake of the tsunami? And, beyond this, what are the longer-term impacts of climate change? Geopolitical risk is something that internal auditors should get involved in, he argues. It is up to them to ensure that the company has the right mix of risk management and governance expertise in place to give assurance to the board that
such factors are being considered and that action is being taken to minimise exposures. For example, the internal auditors need to challenge the senior management team with tough questions about how it reviews the companys supply chains and its business-disruption policies andwhether these are tested regularly. Thefunction also needs tomake it clear that, while the organisations direct exposure to geopolitical risk may be low, itsindirect exposure through its supply chainand customers may be high, dependingon whereit sources materials andsells goods, Abbott adds. Paul Sawdon, head of internal audit for the UK at professional services firm KPMG, agrees. It is our job as a profession to ask questions and challenge the board and senior managers about risks facing the business. Geopolitical risks are no different from any other area of risk management in that respect, so internal audit needs to keep asking questions and challenging the management team. If we dont do that, we arent adding value, he says. But, while some organisations may see geopolitical risks as too complex to deal with internally, Abbott believes they may be pleasantly surprised at how straightforward it actually is. A lot of this is based on scenario planning experienced people sitting in a room talking about social and political risk and how it might affect investment in another company, rather than systemic ways of identifying risk, he says. The process doesnt need to be costly, either. Its more about organising the board and non-executives to have the right debate in the right way than about spending a lot of money on advisers and systems, he says. You have to create the right environment in the boardroom to have the debate.
19
Healthy appetite
As a landmark study by the Institute of RiskManagement highlights, if risk ismanaged properly, it becomes less of athreat and more ofan opportunity.
Words: Selwyn Parker
20
Risk is a many-headed beast that should be handled in a more focused and disciplined way
The problem with risk is that its viewed differently by each organisation, depending on its risk appetite, tolerance of risk and risk performance
peaking in spring, just after the Japanese earthquake, Germanys chancellor, Angela Merkel, said: If the seemingly impossible becomes possible [and] the absolutely unlikely becomes reality in a highly developed country such as Japan, that changes thesituation. The quake and tsunami had dire and unpredictable consequences worldwide, including in Germany, where the nuclear industry now faces an obligatory measured exit by 2022. Good businesses and organisations accept that they face certain risks unexpected, situation-changing events andadopt measures that they believe, or hope, will protect them from the worst effects. But,as the Institute of Risk Management (IRM) outlines in a recent research report,Risk appetite and tolerance, risk is a many-headed beast that should be handled in a more focused and disciplined way, particularly at board level. Until an organisation has a clear view of both its risk capacity and its risk management maturity, it cannot be clear as to what approach would work or how it should be implemented, the report argues.
The upside of this is that, if its properly integrated into an organisation, risk becomes an opportunity to be exploited rather than a threat to be feared. First, boards have a significant amount of work to do. Risk is viewed differently by each organisation, depending on its risk appetite, tolerance of risk and risk performance. Whether it is a matter of setting, monitoring or overseeing risk appetite, this is a subject that has proved to be somewhat elusive it means many different things to many different people, the report notes. For example, some see it as a series of limits, some see it as empowerment, some see it as something that has to be expressed in terms of net risk and others, gross risk.
New perspectives
The report was written mainly by Richard Anderson, IRM deputy chairman, with the help of a heavyweight working group from the banking, resources, telecoms and risk consulting industries. It aims to stimulate a much more enlightened debate on handling corporate risk. It is our view that risk appetite, correctly defined, approached and implemented, should be a fundamental
business concept that could make a fundamental difference to how organisations are run, the report states. But Anderson, a veteran of the risk management industry who has advised scores of companies across the commercial spectrum, believes that if this is to happen it must bepreceded by what may be a potentially agonising, but ultimately rewarding, process ofinternal examination. The main area where organisations are struggling with risk appetite is in getting to grips with the multi-faceted nature of it, Anderson says. For so long risk management has been seen as a simple (and comparatively low-value-adding) exercise, buthere we are saying that its at the heart of a business from strategy to operations and that it is at once about managing people and about dealing with hard-edged numbers. Making it relevant and creating new tensions in the boardroom is going to be hard work, especially when organisations get to grips with the necessary data, he adds. While risk appetite doesnt need to be a new industry, it does have to make a difference. Otherwise, itis a waste of time.
21
The report makes it clear that risk appetite and risk tolerance are inextricably linked to performance
}
bottom. Identifying the risk a company runs is the first step, Cain says. It should begin with people at every level. Risk is not numeric. Theres no one kind of measurement. Often the dangers are obvious.Yet serious threats can also go largely unrecognised andunmonitored if they are harder to trace and define. Cain believes that one of the biggest challenges for boards can be making all employees sensitive to the risk culture. Its the visibility of risk that will be important, she says. The entire exercise is ultimately anchored in organisational behaviour. Carolyn Williams, the IRMs head of thought leadership, says: The biggest hidden risk is actually a rather boring one poor housekeeping. An organisation with low standards of operational performance is so much more vulnerable to problems and to the snowball effect where one problem causes others, with costly consequences. And, as executives at Japans Tepco nuclear power station, which is in effect now under state control, would probably agree, some risks may be beyond a companys control but not necessarily outside its responsibility. You cant manage each risk, Cain says. But it is important to be aware of it and monitor it. The IRM doesnt present its report as the bible on the topic, butrather as a starting point in what promises tobe a long-running issue. As theauthors point out: We do not think that this will be the lastword on the subject in such a fast-moving environment.
Germanys nuclear industry faces an obligatory measured exit because of Japans experience.
22
The proof is in the pudding. In hindsight its indisputable that a more formal analysis by News International of its exposure to risk would have alerted its managers to phone-hacking practices. And, as its congressional testimony revealed, even BPs sophisticated monitoring systems proved insufficient to anticipate, measure and control the long-term consequences of the Deepwater Horizon blow-out. But there are no excuses. Jackie Cain, policy director at the IIA, points out that boards of directors have an official mandate to take such risks into account. A business is responsible for risks that the company runs, she says. The code of corporate governance makes that responsibility specific. And yet the concept of risk is not well understood. The IRM is not proposing a new era of puritanical risk aversion and nor does the governance code far from it. Our underpinning precept is that organisations can progress only by taking those risks that they need to embrace and by managing down those that they wish to avoid, Anderson says. The report makes it clear that risk appetite and risk tolerance are inextricably linked to performance over time. The big question is:
what does successful performance look like? So its not about avoiding risk but about embracing it in the right way. Theres nothing wrong with taking risks, Cain explains. But it must be identified and the company must account forit. Its dishonourable for a company not toknow the risks its taking. Its all aboutaccountability. Thats why, as the report observes, we also anticipate more use of key risk indicators and key control indicators . Much, if not most, of the theory and practice of risk has until recently originated from the financial sector and many there got it all wrong. The quants in the giant institutions convinced their superiors that they had all but eliminated risk in investment banking. Accountants, consultants add, also played their part by relying on an approach that was too mechanistic, being overly reliant on numbers and measures. A box-ticking approach is not advised. Rather, the entire exercise should start at the
read more
Find a longer version of this article, including tips on setting risk appetite, at www.auditandrisk.org.uk
While most will agree that there have been varying degrees of success in implementing all elements of the ERM framework, one key element that remains Coordination with the IT Department elusive is an effective monitoring mechanism. A mechanism that not only monitors CCM addresses major concerns regarding the safeguarding an entitys significant risks, but reports, investigates, and of IT assets; primarily data. The entire data extraction, escalates in a timely fashion, throughout the organisation. consolidation and control assessment is done in a secured While most will agree that The importance of monitoring has been entrenched in the environment. Even the remediation process performed by COSO ERM Integrated Framework by assigning it an management is stored in a secured database. there have been varying entire section of the COSO cube. The recurring demands on the IT department to provide Specific Challenges degrees of success in reports for risk owners for them to determine the adequacy Time taken to Perform Self Assessments of the control is time but with CCM this process is implementing all elements implemented once and then automated. Management is One of the biggest challenges is the time required by risk only notified if there is a problem or a potential problem. owners to ensure that significant automated controls are
in fact working. For example, a mortgage company has a Transparency in Reporting risk of losing millions of dollars where penalty charges on key element that remains Remediation of control breaches is just as important as late mortgage payments are not being properly calculated detecting them initially. The CCM framework ensures that elusive is an effective and booked to the mortgagors accounts. The risk owner once the issue is detected it is assigned to the relevant now has the challenge of selecting a sample of late person, timelines are established and an escalation path monitoring mechanism. payments from a past period, and testing the controls determined. Other critical players are also notified such as manually or, with the assistance of a spreadsheet Internal Audit, Risk and Compliance. There is no application. Note that all of this has to be done while the risk owner continues to opportunity for the issue to be concealed and therefore all stakeholders are inclined perform his or her normal operational activities. to collaborate and resolve the breakdown in control. Delays in Identifying Breaches There is a delay between when a breach occurs and when it is identified. Testing the rules discussed above regarding late mortgage payments from a past period is useful but does not address the issue of potential losses because of the delay in detecting the problem. Coordination with the IT Department Risk owners will sometimes request data from IT to upload to local spreadsheets for testing. This introduces data security risks as large volumes of sensitive data become resident on local computers which may not be properly secured. Transparency in Reporting Once the relevant self assessment tests have been performed, the results are not always thoroughly investigated and/or reported to the Board or Audit Committee where serious breaches have been detected. Managers face a significant ethical dilemma as reporting serious breaches may reflect negatively on their performance and could also affect incentive payments and job security. Overcoming ERM Challenges with CCM Time taken to Perform Self Assessments CCM is implemented as an independent testing mechanism whereby controls are assessed by examining the core applications data. This is fully automated and Management only needs to react to the control exceptions but more importantly the adequacy of the control is being determined independently. Role of Internal Audit Leading ERM methodologies require Internal Auditors, like Management, to play a key role in ensuring that an entitys high risk areas are monitored. In environments, where CCM is first implemented by internal auditors (continuous auditing), the auditors image and reputation in the organisation is significantly enhanced. This frequently results in management asking the auditors for advice and direction as they move to install their own CCM solution (continuous monitoring). In these situations auditors must be careful that their independence is not tainted based on their close association with managements CCM implementation. This can be managed by ensuring that the Departments role is solely that of an advisor. Conclusion Allowing CCM and ERM to enhance each other will solve many long standing challenges in governance, risk and compliance disciplines. ERM should be used to establish the foundation for implementing effective internal controls monitoring, while CCM should be used as a powerful tool to provide more independent and timely information on the effectiveness of internal controls. When implemented properly, management and other stakeholders will experience a remarkable improvement in the value added by both CCM and ERM primarily by creating a sustainable and dynamic internal controls environment. Based on the whitepaper, Completing the ERM Circle with Monitoring. Visit www.caseware.com to download.
IN PROFILE:
The IIAs president, David Reynolds, has been involved in internal auditing for nearly 25 years. Since leaving his position as director of internal audit and regulatory compliance at BT in 2007, he has held the chairmanship of the IIA Scotland committee and hasserved as a member of council and as the institutes deputy president. He also has a directorial role withthe UK arm ofUS-based consultancy MorganFranklin.
On 5 October the IIA welcomed its new president and deputy president. Audit & Risk caught up with DavidReynolds FIIA and Nicola Rimmer CFIIA to hear about their hopes for the institute and the profession.
Words: Alice Hoey Photograph: Charlie Hopkinson
New voices
24
IN PROFILE:
Nicola Rimmer has been an internal auditor for over 13 years and a qualified member of the IIA for almost as long. She has worked largely in the financial services sector, in large and small teams and at various levels, and is currently an audit manager at Friends Life. Within the IIA, Rimmer has held positions at district and council level, and has served on various committees, including the member network committee.
Internal auditing is under the spotlight, arguably in a very positive way and increasingly because we, the institute, choose to put it there
25
The profession is maturing. We are takingour place at the top table as a key part of the corporate governance framework
}
qualifications are designed to provide a good framework of knowledge, while its courses, events and discussion forums provide a fantastic chance for members to network, share experience and gain knowledge. Im also looking forward to promoting our profession more widely. Ill be supporting the president and the CEO in driving the IIAs strategy in particular, working with regulators, external auditors, boards and audit committees and other key stakeholders to promote the internal auditing role. By increasing our profile in the mainstream business media, we would hope to extend our reach to a wider audience. We must also look to promote a wider understanding among the public about what internal auditing is and what we do. This is extremely important for a professional body that has a public-interest dimension to its charter. Internal auditing is increasingly coming under the spotlight. The profession is maturing and we are taking our place at the top table as a key part of the corporate governance framework. No other profession provides such insight and ability to influence across the whole organisation. But we cannot be complacent, and I am also looking forward to engaging with the wider profession in order to promote the IIAs work. Commentary on corporate governance and risk still doesnt include the role of internal auditing as a matter of course and our function received very little attention in the research into, and explanations of, the financial crisis. We have an ambitious strategy in place to develop and promote the profession, as well as to engage the leaders of the profession. As deputy president, I can positively contribute to the success of this strategy.
26
Internal auditing is under the spotlight, arguably in a very positive way and increasingly because we, the institute, choose to put it there. Weve done a great job over the past 18 months in delivering the strategy outlined in Essential to success and well keep beating that drum. But we must now also form clearer policy positions on key areas, such as our relationships with regulators, external auditors, boards and audit committees and risk management functions. What status should our reports and opinions have and how should they be used? And how should we exercise our responsibility to engage at strategic management level? The IIA executive and council have started working on this policy challenge, backed up by research and opinion-gathering that will allow us to fight our corner. We need heads of audit to collaborate with us to support and guide the development of those policies. We also need to explore whether and how we can make better use of our relationships with the eight sector-specific special-interest groups. These are seldom used to help shape our thinking. The IIA doesnt have the capacity to understand and intelligently opine on the specific needs of every sector or, for that matter, those of the governments of the UK, Ireland and the EU. Although the special-interest groups, our regions and the European IIA organisation can help, we will need to prioritise the policy areas we tackle. One area we cant ignore is the public sector, from which comes a sizeable percentage of our members. The need to develop our influence and policy applies equally to the public sector and the private sector, and it is pleasing to see the progress made with our colleagues in CIPFA. I am quietly confident that this collaboration will bring significant value to both institutes.
We also have wider aspirations and are fully engaged with IIA Global and in developing a global strategy. We expect to host the IIA Global conference in 2014 and have made good progress regarding the potential forour Advanced Diploma to be part of a global suite ofqualifications. While we may not instinctively seek the limelight as practitioners, we must be highly visible in our organisations, from top to bottom, if we want to be truly influential. But, more than that, if we want to meet our ambition to be trusted advisers and strategic partners, we must also be knowledgeable about our organisations and how the components fit together from an internal control and risk management perspective. We must also be alive to the negative and sometimes corrosive cultural issues in our organisations and be willing and able to tackle them head on.
Dates/locations
10 November Leeds 7 December London
Implementing the cloud Benefits, challenges and risks for internal audit
Cloud computing will impact all areas of your business, including people processes and systems. With this new technology, risks are elevated as internal IT privacy and data controls and compliance models are replaced. A cloud strategy vetted and supported by internal audit will help organisations take advantage of the compelling cost benefits while managing potential new risks. Attend this seminar and learn how cloud will impact your business and what control assurances internal audit could provide.
Also coming up
The Bribery Act what it means for internal audit 17 November Bristol 1 December Worthing
Dates/locations
24 November London
Crime Inc
Organised criminals pose serious risks to local authorities. The audit manager at Falkirk Council has tackled the issue head on, raising the profile of internal audit in the process. Words: Christian Doherty
Agency (SCDEA), OConnor soon realised that Falkirk had to update its response to these threats. SCDEA emphasised that the key to defining organised crime is that criminals are looking for power and profit. Anywhere theres an opportunity for these they will look to exploit it, he says. Once he understood the reach, capability and sophistication of organised crime, OConnor saw that failing to address the risks left the council vulnerable in many ways. Falkirk is between Glasgow and Edinburgh, so were between two centres of organised crime, he explains. The feeling we got from SCDEAs mapping was that, as criminals are pushed out of the big cities, areas such as Falkirk become increasingly vulnerable and attractive to them. Authorities such as Falkirk are also attractive because they are perceived as having less knowledge than their large city counterparts do of organised crime and fewer resources to combat it. But, with 7,000 employees and a budget of about 350m, thecouncil still presents a big target for criminals. Pressures on budgets have increased the perception that smaller local authorities are relatively defenceless. The watershed moment came in June 2009 when the Scottish Serious Organised Crime Taskforce released its Letting our communities flourish strategy and we heard for the first time the types of organised crime risks that an authority could be exposed to, OConnor says. The strategy focused on four Ds: divert individuals from crime; disrupt organised crime; deter criminals from targeting various groups; and detect criminal activity. We thought this is potentially pretty significant. After that, given our responsibility for providing assurance to the councils audit committee, we couldnt ignore it, he says. So OConnor, Templeton and Carmichael started working on an approach for assessing risks posed by organised criminals to local authorities. First, they had to get to grips with different activities perpetrated by organised networks and understand the scale of the problem. Then they could design an audit and assurance framework to meet the challenge. This wasnt easy, since organised crime thrives on secrecy. The unknown, more than the known, grabbed our attention, OConnor explains. It made us think beyond organisations from which we purchased goods and focus on those that we contracted with and granted licences or planning permission. Closer to home, OConnor had to consider ways in which council property could be used for criminal activity from cannabis farms to prostitution and people trafficking as well
28
hen local authorities highlight their risk exposure priorities, increasing emphasis on value for money and efficient delivery means it tends to be easier for audit teams to focus on these than on issues concerning fraud, corruption and crime. But Gordon OConnor CMIIA, internal audit manager at Falkirk Council, along with auditors Graham Templeton CMIIA and Sandy Carmichael, recognised in 2009 that, unless their organisation took a new approach to organised criminal activity, it risked being an easy target. First, they had to learn more about what they were up against. When we started, we saw organised crime as being like gangsters on TV mafiastyle figures but doing this work weve started to understand that organised crime is run like big business, OConnor says. Organised crime involves more than one person; requires control, planning and specialist resources; and causes, or could cause, significant harm while benefiting the criminals. The breadth of the councils activity and operations exposes it to many types of organised crime. Working alongside the Scottish Crime and Drug Enforcement
Key vulnerabilities
The procurement of services. Taxi services, for example, are often used as fronts because they have a high cash turnover. The use of council property for illicit activity (people trafficking, prostitution, etc). Fraudulent applications for council funding. Information risk. Staff who access sensitive data are vulnerable to coercion or bribery. Internal fraud. Disgruntled or compromised employees can access finance records or sensitive information.
{
sharing information and having protocols inplace, says OConnor, who adds that managers are more aware of the risks they need to deal with in their departments. The senior management team is taking the threat from organised crime seriously, too. The objectives of the Letting our communities flourish strategy are embedded in operational and audit strategy, and links between the council and law enforcement authorities have been strengthened. The council has also considered its whistle-blowing procedures, beefed up its anti-money-laundering procedures and improved its communications with external agencies. Now internal audit must ensure that it stays on senior managements agenda, OConnor says. It mustnt be a six-month fad before normal business is resumed and financial pressures push it off the radar again. He believes that adding organised crime to the list of audit items would have failed if it had fundamentally changed the way the council worked it would have used disproportionate resources and left gaps elsewhere. Raising organised crime as an audit item has also brought unexpected benefits. It has boosted the profile of the internal audit team, and it has added freshness to our approach and outputs without necessarily using more resources, OConnor says. And the response has been positive. Weproduced a document that sums up our work, the risks we looked at and the questions we asked, making that available to various bodies and across the Scottish Local Authorities Chief Internal Auditors Group. Responses suggest that other councils are keen to work in this area, he says. The initiative was highly commended in the 2011 Cliff Nicholson Awards for innovation and excellence in public service audit. But, what is most important is how much more aware our managers are of these risks than they were before, OConnor says.
as fraudulent expense claims and benefit scams. Once he could see the risks, he worked with SCDEA to map vulnerabilities against police intelligence in order to establish key areas of local authority operations and see whether there was an established link to organised crime. The next stage was to revisit the audits planned for 2010-11, OConnor says. Looking at areas such as providing external funding and purchasing taxi services, we thought about them from a serious organised crime perspective. We tried to think of risks that we hadnt considered before. It soon became clear that equipping the authority particularly the internal audit function with a useful framework for mapping, rooting out and protecting against organised criminal activity would require a change of approach. That challenge was increased by pressure on budgets. We cant scrutinise every pound we spend, OConnor says. But were exposed on several levels and we have to think about how we deal with it how we recruit and vet
new staff and how we vet suppliers and the people responsible for providing goods and services and for delivering contracts. He therefore looked for ways to overlay awareness of the issues on established audit protocols. The audit process hasnt changed fundamentally, but the thought process before each audit has, OConnor says. Ive got a set number of audit days, so I cant afford to dedicate a huge number of these to serious organised crime. But if were going to audit procurement, say, then we will consider these risks at the planning stage and build this into the process. In the case of a taxi contract, for example, the audit team now considers issues ranging from information sharing and procurement policy to operator and driver licences and fit-and-proper person tests. These changes have led to a much clearer understanding of risks and areas to improve. Weve got the messages across and were now more aware of the benefits of
29
5 6
what comes out of the process. It is too easy for companies to become lazy and to rely on routine. Risk workshops are a good way to achieve a common understanding of your definition. consequences of a serious risk and the barriers, such as systems or people, you need in place to limit your businesss exposure.
Avoid using jargon. You need to be able to talk the language of business as well as the language of risk. If not, you will put up barriers and managers will view you as an outsider. Brief or train those who govern the organisation. If you dont think this is important, ask yourself how often risk information that is passed up through your organisation is used to change a process. The objective is to make change happen.
30
Work to a structure. Even the most entrepreneurial business needs some structure for its risk management, whether that involves following set guidelines or a code of practice. There are several of these already available. For example, ISO 31000, Risk management: principles and guidelines , defines the practice of risk management as it moves from principles to framework toprocess . In addition, you need to identify the roles in your organisation that need to be given risk-related objectives. Define success. If you havent defined what success means for your organisation, this shortcoming will be reflected in
Keep risk registers fresh and relevant. There is a huge variety ofrisk registers, many examples of which are available on the internet, so check these out for ideas. Remember that you must identify what information your business needs to collect and how it will be used. One useful tool is bow-tie analysis . This offers a visual representation of the causes and
Retain knowledge. Mostof the information we refer to is kept on paper or in IT systems. Your business needs to capture information and store it in an accessible format before key people move jobs and take their tacit knowledge with them. It also needs to have the right culture in place. One way to ensure this is to run an annual survey. Employees canbe asked questions abouthow competent and
Understand the interdependencies across your organisation. Consider how all the businesss risks link with each other. Continually assess performance. Benchmark your businesss risk management against that of other similar organisations and see how your systems measure up to theirs. This article is based on Allan Giffords seminar at the IIA conference. For details of IIA training courses on risk, visit bit.ly/oPuqHF
Career development
31
move forward on their career path and feel that you have helped them in some small way. Many people will stay with a particular mentor for only a finite period.To me thats natural, because you will want different things from a mentoring arrangement at different points in your career. As a mentor, you have to be a good listener and should help the mentee to find the answers rather than providing them yourself. Its also important to remember that the relationship is confidential and to build an atmosphere of trust.The mentee may need to open up and share some personal and sensitive information with you.
If youre looking to be mentored, you should think carefully about what you want to gain from the experience.This will also help you to find the right mentor.You should prepare for meetings with your mentor.That individual is investing time in you, so respect the process and ensure that you gain as much from the opportunity as possible.
Rachel Bowden
is a director in RSM Tenons risk management service line. She is responsible for supporting the development of a team of internal auditors and chairs the IIAs guidance working group
You asked us
Q&A
Our technical helpline provides valuable advice to members on ahost of professional issues. Hereare some of the questions youve submitted recently.
Q: Before the evolution of risk-based internal auditing, findings were reported by control. What is best practice today for internal audit reporting? Should findings be reported by control or by risk? A: Given that internal auditing isall about providing assurance on the management of risk, a reporting method that aims to highlight risk and the effectiveness of risk responses isgood practice. I would suggest starting yourreport with an overview of how the risk management process is applied in the area youare considering. For example, does itfollow policies and procedures;are risks regularly discussed and updated; and are responses reasonable? This will set the scene and allow you to say something positive, aswell as providing an overview and opinion of how well risks arebeing managed in general. Itwill provide a balance. When you agree the scope of the audit, it is logical to describe the high risks you intend to look at and then report against these headings in turn. The IIAs international standards and guidance are not prescriptive on how reports should be presented.There are no definitive templates, as it depends what works best for your organisation. But you will find one report template in our online resource library, along with a number of examples of how other internal auditors grade recommendations (visit bit.ly/oiMYLp). If you would like to add your report format, please send me a copy. Q: Is there a best practice or recommended standard for the frequency at which a company should rotate its external auditor firms? A: For the UK and Ireland, the auditing practices board of the Financial Reporting Council issued a revised ethical standard 3: Long association with the audit engagement , in 2009.This states that an external audit engagement partner should be rotated every five years. The firm does not then participate in the audit engagement for a further five years, although flexibility of up to an extra two years is permitted in some cases. But this flexibility applies only to changing the partner, not the audit firm something that has been resisted strongly by accounting firms. It seems to be at the discretion of the audit committee, based on whether it feels that its getting a good service and value for money.
32
Regulators seem to be exercising their powers and rights more since the crisis
Q: What is best practice for asubsidiary whose local regulator requires the internal audit services provided by its parent company to be formalised in aservice-level agreement (SLA)? In particular, the local regulator insists that the SLA allows the local subsidiary toappoint and replace the internal audit function. A: The international standards and supporting guidance cant cover every eventuality, so there is no specific material on your particular situation. This is a governance and relationship management matterthat really needs to be discussed by all the parties involved. It may even be something for the group board to consider and resolve. Perhaps it is a sign of the times, but regulators seem to be exercising their powers and rights more since the financial crisis.The local regulator and the local board need to ensure that they have sufficient internal audit assurance, particularly if the local firm is outsourcing its internal auditing to group internal audit hence the need for an SLA. At the same time, I can appreciate that the group board must maintain control over subsidiaries and requires a wider perspective on risk and control, not to mention the cost of internal audit.
Got a question?
Contact Chris Baker on the IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk
Getting qualified
Student noticeboard
Essential information for exam candidates. Visit the student information centre at www.iia.org.uk for updates
November 2011 exam series: authority-to-sit correspondence
Correspondence was sent on Monday 24 October to students registered to sit the exams. Candidates must present a copy of this on entry to the exam venue, as well as photographic ID. If you have not received your correspondence, contact exams@iia.org.uk or call Aneta Zieba, assessment coordinator, on 020 7819 1928. Pre-exam instructions and exam regulations are available in the student information centre at www.iia.org.uk. Students must read these before the exams. Details about exam venues are available on the Examinations web page.
Extenuating circumstances
If you would like extenuating circumstances to be considered for these exams, you should read the relevant policy in the Regulations and policies section of the Examinations pages in the online student information centre. Chief examiners advise that any circumstances cited should
apply on exam day. While definitions of an extenuating circumstance must be flexible, claims will be tested by focusing on the effects they could have had on exam day. Circumstances that affected someones preparation for weeks or months beforehand, and which they claim affected their performance, will be scrutinised rigorously. Students wanting to submit details of extenuating circumstances that occurred on exam day must do so within a fortnight of the exam. Correspondence must be supported by evidence in accordance with the policy.
applications to external bodies to recognise their qualifications. Since 2007 it has recognised the IIAs professional qualifications as postgraduate level, with up to 60 credit points for each IIA Diploma and IIA Advanced Diploma, and up to 30 for the IIA Qualification in Computer Auditing. These ratings can be used when applying to study at higher education institutions. Awards of specific credit can be used towards particular OU distancetaught qualifications. Visit the Open University accreditation pages at www.iia.org.uk for details.
Accreditation from Exam pass notes the Open University Visit the Audit & Risk website at
The Open University (OU) awards general credit rating bit.ly/rli7eo for a guide to exam technique by two examiners.
33
Materials for case studies, past-paper packs and chief examiners reports
Case study materials for the IIA Diploma and the IIA Advanced Diploma are available in the student information centre. Past-paper packs and the chief examiners reports for the June exams are also available in the student information centre.
IIA Advanced Diploma IN INTERNAL AUDITING AND MANAGEMENT M1 Strategic Management M2 Financial Management M3 Risk Assurance and Audit Management M4 Advanced Internal Auditing Case Study IIA IT Auditing Certificate A1 IT Auditing Certificate multiple-choice questions June 2012 exam series Exams will be held from Monday 11 June to Thursday 14 June 2012 inclusive. Monday 21 9.30 to 11.30am Monday 21 Tuesday 22 Wednesday 23 Thursday 24 2 to 5.10pm 2 to 5.10pm 2 to 5.10pm 2 to 5.10pm
Congratulations to the IIA members below, who were successful in the June 2011 exams.
The Chartered Institute of Internal Auditors is the only organisation offering recognised professional qualifications for internal auditors in the UK and Ireland.
In June 2011, the following students successfully completed the examined element of the IIA qualifications: IIA Advanced Diploma in Internal Auditing and Management exams completed
Asher, Bridget L Ashford, Natasha Atherton, Sharon L Atkinson, Neil A Barry, Helen Blewitt, Justin D Bowe, Jeffrey Buchanan, Alexandra Chapman, Amy J Chappell, Katharine L Cook, Gillian H Cooper, Darren Cullis, Dean G Delaney, Thomas P Edwards, Stuart R Fitzsimmons, Penny Flavelle, Rebecca Foster, Alastair J Gallagher, Peter J Graven, Michael N Hamel, Brian A Harris, Andrew Hastie, Hazel Havers, James M Hellary, Daniel Higgs, Helen James, Caroline P Jenkins, Richard John, Lea Kenny, Chris Kerr, Clare L Kumi, Anthony Lewis, Michael J Lye, Patrick N Maddock, James Mason-Bell, Angela McCavigan, Tracey Mills, Louise P R Mingout, Deborah Moloney, Paula Murray, Fiona H Ojo, Ayodele Patel, Krupali Puddicombe, Charles A Scott, Robert J Scutt, Jon Self, Sarah M Sharman, Teresa C Sharpin, Linda Stewart, Gary Tye, Graham R Vaughan, David J Woodhouse, Scott A Woolley, Rob
34
Bray, Sarah Brewster, Martha Y Clark, Peter Clarke, Paula Clarke, Stephen W T Cleary, Michael Clifford, Barry Cowell, Ian J Davey, Julie-Anne Davidson-Dell, Simon Davies, Karen L Dean, Anthony Dempsey, Kim Dent, Michael R Devine, Gail L Downer, Stephen P Elliott Cartwright, Lee Fargus, Peter R Finnerty, Jason Fitzgerald, Anna Fleming, Ian Forster, Erin Fuller, John R Fuller, Katie Ann George, Lisa E Gibson, Gary Halliday, Neil Harper, Jennifer Harrison, Andrew Heasley, Roger J Hedley-Smith, Martin Highton, Dawn C Hilling, Sally Hirst, Matthew Hughes, James A Jolliffe, Hayley M Jones, Myra L Kelly, Elizabeth A LAbbate, Helen Lacy, Kelly A Lawes, Amanda Leggett, Stephanie M Ling, Jeanette Liveston, Kirsty Marshall, Imogen McKenna, Fiona McNeill, Gerald McWatters, Caroline Millar, Dermot P Molyneux, David G Moore, Paul W H Murfet, Neil R OConnor, Damian P OConnor, Stephen OKeefe, Paula Oakley, Katharine Parish, Emma Patel, Jashita S Peacock, Sean Pinkerton, William Plaskett, Sarah Pople, James S Purvis, Neil Rai, Ramesh Raine, Linsey Rayner, Sara Redmond, Jonathon K Robinson, James Shield, Bernadette Sisson, Paula Slater, Christine A Snell, Mark J Tallon, Una Taperell, Alice E Taylor, Angela Timothy, Oliver Towse, Mark N Trimarco, Marcus J Turner, Nadine Ujah, Chinyere C Wain, Ashley A Wakefield, Ryan D
Walsh, Susan Whan, Gavin Whitehead, Mark Whyte, Judith R Wilkinson, Tracy Willetts, Karen Williamson, Peter J Wilson, Andrew J Windsor, Graham Wood, Chris Woodward, Julie L Yardley, Caroline
Rayner, Sara Richardson, Angela Robinson, Dawn M Robinson, James Simonite, Kyle Spilsbury, Grant B Swainson, Karen A M Talwar, Kieran Tang, Adrian Thrupp, Michael Tod, Graeme D Tse, Lewis Turner, Nadine Ujah, Chinyere C Wain, Ashley A Ward, Theresa R Wilkin, Gary A Wilkinson, Tracy Wilson, Andrew J Wong, Maurice Young, Samantha
Ujah, Chinyere C Varvill, Richard Von Wenden, Svetlana Wain, Ashley A Ward, James Lee Willetts, Karen Williams, Nanette R Wood, Chris Wootten, Jenny R Wright, Matthew Young, Samantha
Tang, Adrian Taylor, Paul Thrupp, Michael Tong, Jennifer Verma, Pooja Vicary, Yvonne J Vipond Murray, Victoria Ward, Theresa R Windsor, Graham Wong, Maurice Yorkston, David
P3 Internal AuditPractice
Adeyemi, Abimbola Atwal, Jaswinder K Baird, Barbara Beckett, Kelly M Bessell, Robert Beveridge, Francesca Bolster, Peter Bolton, Melissa M Bourke, Anna Brown, Steven E Chambers, Paul G Clarke, Steven Colbert, Suzanne J Coles, Stephen D Collins, Jonathan Cowie, Amanda J Craddock, Victoria M Dawson, Carlien Dean, Anthony Del Greco, Gabriella A Elliott, Nicola L Enfield, Mark Evans, Julie Fargus, Peter R Faulkner, Nicola L Fell, James Fines, Barry J Franks, Grant W French, Christopher B Garden, Susan J Garner, Gemma L Haggerty, Robert J Hardwick, Victoria Hayre, Baljit Haywood-Evans, Andrew Heather, Alison Hussain, Zakir Jackson, Christopher Jackson, Craig S James, Derly E Kerr, Stephen G Lambert, Paul Le Roux, Lone K Leckie, Evelyne H Liveston, Kirsty Lovell, Daniel M Maggs, Ian P Matkin, Katerine M McMahon, Rebecca Molyneux, David G Morgan, Gail Mulholland, David J Nicholson, Christian M Norman, Suzanne P Peacock, Sean Powell, Gemma K Rai, Ramesh Ravindranathan, Ramah Rice, Michael L Roblin, Lloyd Sethi, Nittan Shepherd, Anna Shield, Bernadette Smith, Frances Smith, Karen Patricia Southgate, Laura Swainson, Karen A M
The following students successfully completed the following exams in June 2011: P1 The Internal Audit Environment
Andrew, Stuart Ankach, Kayhan Atkinson, Andrea A Bancroft, James P Banu, Rahela Barker-Arnone, Emma Bennett, Helena Booth, Darren Bowers, Stuart M Clarke, Paula Clarke, Steven Collins, Jonathan Connolly, Angela Coveney, Paul D Cranston, James S Dadhania, Jasmine Del Greco, Gabriella A Dennis, Hannah E Evans, Saida Gilbert, Hollie Gilchrist, Laurie J Girvan, Deborah Handley, Lisa Heather, Alison Heeley, Jessica R Highton, Dawn C Hussain, Zakir Jackson, Christopher Jackson, Craig S James, Derly E Jonas-Nartey, Jocelyn Kaur, Sharonjeet Kendall, George Killen, Melanie Kondratowicz, Teresa Larcher, Timothy A B Leighton, Ruth E Lewis, Catrin Martin, Mairead R Masoeu, Kamohelo McWatters, Caroline Miles, Neil Nicholson, Christian M Pap, Timea Pope, Robert Powell, Gemma K Purvis, Neil Ravindranathan, Ramah
Lourie, Matthew Maguire, Mary McAteer, Kieran A McKee, Alan Melluish, Helen C Mullan, Deirdre Murray, Debbie M L Nikitas, Ephrem Oldham, Justin OToole, Brendan Scott, Colin A Sharman, Nicola A Shelton, Timothy C Shephard, Kelly Sheridan, Steven Small, Colin P Stirling, Alexis Todd, Norman Varela, Sonia Vaughan, David J White, Pinar Woods, Tracey Woodward, Louise Wright, Daniel
Smedmor, Christopher D Stewart, Gary Stirling, Alexis Warren, Fiona Welsh, Wendy T White, Pinar
M3 Risk Assurance and Audit Management P5 Corporate Governance and Risk Management
Ackred, Matt R Adeyemi, Abimbola Ali, Shiraz Amos, Martin J Bailey, Helen D Basford, Philip Batey, Michael H Bennetts, Frances Bolton, Melissa M Brown, Steven E Clarke, Steven Coleman, Susan Cowie, Amanda J Cox, Angela W Craven, Hilary Cuthbert, Sinead Dawson, Carlien Dean, Anthony Del Greco, Gabriella A Elliott Cartwright, Lee Elliott, Nicola L Evans, Julie Fargus, Peter R Fell, James Fittall, Rachel E Fuller, John R Gibson, Gary Gilbert, Hollie Goold, Anita C Haggerty, Robert J Hainsworth, Richard A Hall, Sheldon Hardwick, Victoria Heather, Alison Hughes, Karen Hussain, Zakir Jackson, Christopher Jolliffe, Hayley M Jones, Lucy A Lang, Charlotte J Lawes, Amanda Lawson, Ashleigh Le Roux, Lone K Liveston, Kirsty Lloyd-Roberts, Rhys W Lyons, Mark D Marshall, Imogen Martin, Sebastian J Matkin, Katerine M McCullough, Johanne McNeill, Gerald Mennear, Catherine H L Miles, Neil Molyneux, David G Mulholland, David J New, Hilary L Nicholson, Christian M Oakley, Katharine Osmond, Sarah J Owen, Gillian D Parish, Emma Parnell, Fiona J Peacock, Sean Pope, Robert Pople, James S Rai, Ramesh Raine, Linsey Rawal, Sohal Redward, Tim J Rice, Michael L Saxton, Nigel Shield, Bernadette Smith, Neil J Sodhi, Khushmit S Southgate, Laura Tang, Adrian Thrupp, Michael Timothy, Oliver Tse, Lewis Verma, Pooja Ward, Theresa R Watts, Jenny Whitehead, Mark Windsor, Graham Yardley, Caroline Halliday, Neil Harper, Jennifer Heasley, Roger J Hedley-Smith, Martin Hughes, James A Kelly, Elizabeth A Lacy, Kelly Ann Millar, Dermot P Moore, Paul W H Patel, Jashita S Redmond, Jonathon K Slater, Christine A Snell, Mark J Towse, Mark N Whan, Gavin Whyte, Judith R Woodward, Julie L Sharman, Teresa C Shepherd, Douglas C Sloan, Linda Smedmor, Christopher D Spencer, Jill Stubbs, Bharati Todd, Norman Townsend, Simon H Tye, Graham R Tyrrell, David Walker, Nicola Warren, Fiona Woolley, Rob Wright, Daniel Ashford, Natasha Brant, Andrew Breeze, Benjamin J Brown, Stewart Buchanan, Alexandra Buwu, Selina Chapman, Amy J Chappell, Katharine L Chilcott, Nigel Clapham, Fred Coogan, Stuart D R Cooper, Darren Cox, Richard J Davies, Christopher S Davies, Victoria A Delaney, Thomas P Ellis, Matthew Flavelle, Rebecca Foster, Alastair J Furness, Jon A Harrison, Sharon F Harrold, Lee P Heaphy-Davies, Lindsey Hellary, Daniel Hopewell, Peter James, Caroline P John, Lea Jones, Dewi F G Kaburara, Kimuli Kenny, Chris Kitchin, Julie Maddock, James Magog, Catherine E Maywah, Jayraj McCaffrey, Orla McHugh, Matthew I Melluish, Helen C Miller, Adam Moloney, Paula Njolai, Eric Ojo, Ayodele Oldham, Justin OShaughnessy, Paula Osunsami, Dolapo O Patel, Krupali Povey, Alex Saldanha, Roland F Satheesababu, Sonya Scott, Robert J Self, Sarah M Sharpin, Linda Shephard, Kelly Slayford, Shona
35
M2 Financial Management
Allen, Mark S Anderson, David Atherton, Sharon L Atri, Sunita S Barry, Helen Benmaamar, Sobh Bowe, Jeffrey Brant, Andrew Brown, Stewart Bull, Andrew J Cantwell, Grace Cook, Gillian H Cooper, Alan Fitzsimmons, Penny Furber, Kathryn Georgiou, Koulla Greenbeck, Fiona Hadden, Catherine M Hamilton, Andrew Harris, Andrew Hastie, Hazel Hellary, Daniel Hewitt, Paul Higgs, Helen Jenkins, Richard John, Lea Jones, Philip C Kaburara, Kimuli Kenny, Chris Khan, Addiba Kidd, Jonathan Lamb, David R Lefevre, Irene Lewis, Michael J
M1 Strategic Management
Ashford, Natasha Atri, Sunita S Bull, Andrew J Burrage, Peter Clarkson, George Coogan, Stuart D R Cullis, Dean G Durkin, Katey Ellis, Matthew Flavelle, Rebecca Hall, Mabel M Harrison, Sharon F Havers, James M Hellary, Daniel Heppleston, Russell J Hinde, Katharine John, Lea Kenny, Chris Kidd, Jonathan King, Simon R Kumi, Anthony Lefevre, Irene Lourie, Matthew Lye, Patrick N McTaggart, Lynne M Miller, Adam Moloney, Kevin J Oldham, Justin Ooi, Justin Povey, Alex Scutt, Jon
To find out how you can become qualified with the IIA, call 0207498 0101, visit www.iia.org.uk or email studentsupport@ iia.org.uk Disclaimer: although every effort has been made to ensure the accuracy of the above information, the Chartered Institute of Internal Auditors accepts no responsibility for any errors or omissions.
Announcing... A Perfect 10
TeamMate 10 h the rk smarter wit o W P n style user efficient ribbo interface ur view into P Expand yo ta with robust your audit da dashboards customisable t data deep into audi ll ri D P ic graphic through dynam illustrations and link your risks y il as E r P treamline you controls to s ent and audit risk assessm planning s, upgrades P As alway existing are free to users!
There has never been a better time to find out what more than 85,000 auditors from more than 2,000 organisations across the globe have already discovered. As the worlds leading audit management software, TeamMate empowers audit departments of all sizes to spend less time documenting and reviewing and more time providing value-added services. TeamMate continues to revolutionise the audit industry with the release of its 10th major version. All existing clients will receive TeamMate 10 as part of their on-going maintenance and support, at no additional cost.
Work smarter with new user interface A wealth of information about the status of your audits is presented upon initial entry to TeamMate EWP. Before you even open an audit, you will be able to see the completion progress and individual items of interest specific to you.
Dynamic graphics provide in-depth analysis Graphic illustrations of your data (pie charts, bar charts, etc.) allow you to drill down to details of specific interest. Each click of the mouse takes you deeper into the underlying data. Robust dashboardsthe data you need at your fingertips New user-defined, customisable dashboards offer a robust platform upon which a variety of audit activities can be managed and understood, including tailored KPIs, team performance, audit progress against plan, risk management, and issues tracking.
Risk assessment streamlined State-of-the-art risk assessment worksheets offer an in-depth look at the relationship between entities and related objectives, risks and controls. Risks and controls identified during the assessment process can be tracked through to related audit planning and testing.
IIA UPDATE
CEO sets tone at annual conference
This years IIA conference attracted a record attendance of 250 delegates as the event returned to the Royal Society of Medicine in the West End of London. Opening the proceedings, Ian Peters, the institutes chief executive, spoke of the need to set the right tone at the top in organisations and stressed that supporting this objective was a key strategic role for internal audit. While regulators and policy-makers, particularly in the banking sector, were becoming less light touch, rules alone cannot fundamentally change behaviour, he said, adding that internal audit needed a higher profile and greater influence among its many stakeholders, both within organisations and more widely. Referring to recent institute research on the role of non-executive directors (Neds), Peters said there was still a long way to go to increase the understanding of risk management in organisations and
38
that internal audit had another important role to play in achieving this. See page 10 for more information on the IIAs Neds research. Visit www.auditandrisk.org.uk to read afull report on the conference
November
14
Heads of Internal Audit Service Forum: IT security what are the current exposures? Edinburgh
23
IIA North East: risk management risk and the internal auditor Durham
January
20
Retail Audit Group meeting: topics are likely to include risk-based internal audits, theBribery Act 2010 and teambuilding. Anyone working as aninternal auditor in a retailenvironment is welcome to attend. Newport Pagnell, Bucks
Call Jane Leek on 020 7854 8921 oremail jane.leek@brc.org.uk
Email stephen.ireland@aviva.co.uk
24
The essential guide to treasury security and controls London IIA award in the effective delivery of audit and assurance London
25 25
Insurance Internal Audit Group:ERM under Solvency II, lessonsfrom a fraudster and governance audit London
Email Vicky Kubitscheck at contactus@iiag.org.uk or visit www.iiag.org.uk
February
8
IIA South West: outsourcing Swindon
Email john.thomasson@iia.org.uk
39
7 (tbc) 7
29-30
Date tbc
30
8-9 14
30-1 December
22
December
1
The Bribery Act 2010 what it means for internal audit Worthing
Heads of Internal Audit Service Forum: procurement and outsourcing what are the current issues and how should internal audit respond? London
22-23
Date tbc
IIA Midlands: networking and social event (early evening) Location TBC
Email ann.brook@barclays.com
22-25
London
1-2
Moving up
Have you moved jobs recently?
To feature in the next Audit & Risk, email the editor at alice.hoey@caspianmedia.com To update your contact details, log into the members page at www.iia.org.uk and click on My contact details .
Katharine Chappell, assurance and control auditor at the House of Commons: Find what studying style works best for you and stick with it.
40
Four IIA members were rewarded recently for their outstanding performance in the exams.
Lorraine Matkin PIIA, of the Food Standards Agency, has been awarded the Charles Dulyprize, which recognises the IIA Diploma in Internal Audit Practice student whopasses all their exams first time and with the highest aggregate mark. Alastair Foster CMIIA, ofRSM Tenon, has received the Peter Hook prize, the equivalent award for the IIAAdvanced Diploma in Internal Auditing and Management. I took these exams to progress my career and develop a specialism, he said. My advice to others taking these exams is to ensure that you put enough time aside and really study hard following the revision sessions. Runners-up awards in the Peter Hook category were won by Katharine Chappell CMIIA, of the House of Commons, and Martha Kemsley PIIA, of RSM Tenon, who also both passed all their Advanced Diploma papers first time and scored the nexthighest aggregate marks. Speaking about the challenges of taking the exams, Chappell said one of the most difficult things was keeping the momentum going. As the exams approached Ifound it harder to stay focused and to learn and retain information, she admitted. Everyones got their own style of studying you have to find what works best for you and stick with it.
Best in class
Ensure that you put enough time aside and study hard following the revision sessions
Philip Ratcliffe.
Your specialist internal audit team within london and the south east:
Kyra Cordrey director 020 7269 2433 kyracordrey@michaelpage.com Victoria Kahane-Fellowes consultant 020 7269 2281 victoriakfellowes@uk.michaelpage.com Oliver Swift consultant 020 7269 2444 oliverswift@uk.michaelpage.com
This international specialist insurance business underwrites risks at Lloyds and is growing rapidly. As a result they are seeking to recruit an additional senior internal auditor to join their small but high profile audit team. You will take responsibility for leading all aspects of assigned audits across the business including planning and report presentation. You will be professionally qualified with insurance industry experience.
Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte aw@barclaysimpson.com
www.barclaysimpson.com/interimsolutions
Internal & Computer Audit Compliance Risk Management Information Security Legal
For further information or to apply please contact Liam Hughes on 0131 209 7850 or email at: lh@barclaysimpson.com
Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW bs@barclaysimpson.com www.barclaysimpson.com
www.barclaysimpson.com