I s s u e 2 N o v e m b e r / D e c e m b e r 2 0 11

The magazine of the Chartered Institute of Internal Auditors

Dealing with endemic corporate malpractice

RIP ethics?

I s s u e 2 N o v e m b e r / D e c e m b e r 2 0 11

Turning risk appetite into an opportunity Shock tactics: dealing with geopolitical risk Lean on me: could mentoring boost your career? New voices: meet the institutes incoming officers

Risk Management, made easier.

The New Symbiant Risk Suite with built in Show Me training

Watch the overview video and see how Risk Suite works for you

www.symrisk.com/videos

Copyright 1999-2011 Symbiant. Leeds LS1 4LT. UK. Celebrating 12 Years of award winning software solutions

Telephone: 0113 237 3954

web: www.symbiant.co.uk

Contents
12

24

18
Published for the Chartered Institute of Internal Auditors by Caspian Media Ltd. Editors Ruth Prickett ruth.prickett@caspianmedia.com 020 7368 7170 Alice Hoey alice.hoey@caspianmedia.com 020 7368 7151 Chartered Institute of Internal Auditors info@iia.org.uk www.iia.org.uk 020 7498 0101 Subscriptions membership@iia.org.uk 020 7498 0101 Advertising Lisa Govier lisa.govier@caspianmedia.com 020 7368 7133 Ian Mehrer ian.mehrer@caspianmedia.com 020 7368 7114 Creative director Nick Dixon Art editor David Twardawa Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited.

20

Front
3 The IIA view
From the CEO, Ian Peters.

Features
12 Bad company
Internal audits role in tackling corporate malpractice in the UK.

REGULARS
30 Tools for the job
Resources, books, adviceand guidance to help youperform.

4 World view
From Richard Chambers, IIA Global president and CEO.

16 Seismic precautions
Why geopolitical risk affects all organisations, wherever they operate in the world.

5 View from the top

From Stephen Ireland, lead consultant, finance systems and change consultancy, at Aviva UK Life.

31 Career development tips 32 You asked us

Experts answer readers technical questions.

20 Healthy appetite
How risk, properly managed, can become less of a threat and more of an opportunity.

7 Feedback
Readers comments.

33 Getting qualified
Crucial exam information.

8 Update
The latest news affecting the profession.

24 New voices
Introducing IIA president David Reynolds and his deputy, Nicola Rimmer.

34 Exam results 38 IIA update

Institute news and forthcoming events.

10 Vital statistics
The latest research findings on the effectiveness of non-executive directors.

28 Crime Inc
How Falkirk Council tackled organised criminals.

40 Moving up
People and posts.

For more information visit www.auditandrisk.org.uk

Provide concise and clear online graphical reports direct from the audit database Guides auditors through and enforces the audit methodology using tailored work plan library Enable the focus of audit work on risks identified from integrated risk registers Save time by automating the interaction with business management to achieve efficient action tracking workflow. Automatically generate draft and final audit reports in Word format

Web based audit interface or laptop interface with checkout allows audits to be performed from any location

Safeguard your organisations reputation by choosing

Pentana

We will discuss your requirements to focus specifically on how our integrated, comprehensive and configurable audit management software can benefit you. By focusing on our specialist area and through continuous innovation we are able to equip you with the automated tool set required. This provides you with a wider view of your organisations activities and meeting your immediate and future needs.

Talk to one of our experienced audit consultants and take a demonstration with a difference.
You will soon see we go that extra mile so you can achieve more from your automated audit management solution.

Enquiries: info@pentana.com Call +44 (0)1707 373335 www.pentana.com

View from the IIA

Strategic partnership our ethical onus

The challenge for leaders is to set the right tone at the top. The challenge for internal auditors is to support its delivery.
Ian Peters, chief executive of the IIA

In the launch issue of Audit & Risk (September/October) I was keen to stress that the internal auditing profession has much to debate about its role, tools, techniques and practices. Our annual conference, which took place at the end of September and had a theme of Driving business value, proved an effective platform for such discussions. The first morning was designed to seek perspectives from a range of internal audits stakeholders, so we heard the views of JannBrown, managing director and chief financial officer at Cairn Energy; Colin Day, audit committee chairman at AMEC; and Mark Carawan, chief internal auditor at Citigroup and a member of the institutes council. They discussed internal audits position as a strategic partner to the business and concluded that such a role will go a long way towards meeting the needs and expectations of our professions stakeholders. It will truly unleash internal audits value to the business. But getting there requires a push on two fronts. Individual practitioners, particularly heads of internal audit, need to focus more on engaging with their boards and audit committees, understanding their needs and in turn ensuring that they understand what internal audit can do for them as a business partner. And the institute, as the voice of the profession, needs to raise its profile and increase its influence. This is what we are aiming to achieve with our efforts to communicate with business leaders and policy-makers, both directly and indirectly through our media relations work. Our relationships with key media contacts are

getting stronger. This is demonstrated by the significant publicity we gained for the results of our survey of heads of internal audit and their relationship with non-executive directors on the management of risk (see Reportage, page 10). Some of those results also feature in the article on page 20, which discusses the transformational effect of managing an organisations risk appetite. But, as the article points out, our survey showed that many organisations could substantially improve their approach to risk appetite and indeed their understanding and application of risk management.

Individual practitioners, particularly heads of internal audit, need to focus more on engaging with their boards and audit committees
To achieve this, leaders in organisations still need to understand that the correct tone at the top is crucial to drive a strong culture of risk management. Leaders create that

tone as much by their own ethical behaviour as by the policies they set. What they do is as important as what they say. This applies equally to the private and public sectors. Therecent concerns about the judgment and behaviour of the former secretary of state for defence are a topical example. His use ofa friend as an unofficial adviser was clearly wrong. Hewas warned about the risks by those responsible for governance in the MoD, yet he did not respond appropriately. That particular issue has reached the only correct conclusion, but the broader debate about establishing ethical behaviour continues. The challenge for leaders is to create the right tone at the top. The challenge for internal audit is to be aligned as a partner to support its delivery. I hope the articles in this edition prove a useful contribution to your knowledge about the issues and a source of information about how practitioners are tackling some of these. Our launch edition seems to have met its objectives, judging by the feedback we have received so far on the print magazine and its new website. Thank you for your views, observations and suggestions for its further development.

HAVE YOUR SAY

Post your comments about thisarticle or the issues raised at www.auditandrisk.org.uk

View from IIA Global

Global ambition getting a seat at the table

We have more work to do in this area, and much of this must be done by individual internal auditors.
Richard Chambers, president and CEO of IIA Global

Whenever I travel, I meet internal auditors with a similar vision. The words vary, but the message is clear: How can internal auditors get a seat at the table? What is IIA Global doing to help internal auditors become recognised and accepted as a part of senior management? We have more work to do in this area, and most of this must be done by individual internal auditors who are not yet seen as part of their organisations senior management team.The problem is that many of these people are unaware of all the steps necessary to achieve their vision. Having a seat at the table is an admirable goal, but first its important to examine why you want to be there.Too often, internal auditors treat getting to the table merely as a sign of success.This is a mistake. We must be there for the right reasons, not because we hope that being with senior executives will make others view us as senior executives. A seat at the table is a means not an end and if you dont prepare for it you may damage, rather than enhance, your career. Its also a mistake to view a seat at the table as a source of audit leads. If you leave your first management meeting with plans for an immediate audit of the operating unit discussed at the meeting, you may not be invited to the next one.You need to add value, not prevent others from talking freely. Management will benefit from our being at the table only if we are prepared to share, not just to listen. It is similar to being guests at a dinner party: we want our hosts to invite us back. It helps if we bring something fresh, interesting and important to the discussion. Focus on how to make operations better in

the future, not on mistakes made in the past, and so provide not just hindsight, but also insight. The table is not a training ground. We need to be able to discuss critical strategies and business risks facing our organisations. It is vital that we understand our organisations core business and are aware of both internal risks and external factors affecting our industry. If we dont bring our own perspectives, we wont add value. And we must be able to defend our views by ensuring we fully understand the discussion. Most internal auditors can offer such valuable insights long before they are invited

The table is not a training ground. We need to be able to discuss critical strategies
to the table, because getting there usually comes about through the relationships theyve built. Its not what we write in audit reports that gets us to the table its what we do and how we interact with management every day. Senior executives will want us there if they respect us and see us as knowledgeable, trusted advisers. Cultivating

strong working relationships involves being aware of the issues keeping management awake at night. By the time most internal auditors are at the table, they no longer see management meetings primarily as sources of leads for audits because they are already fully informed on subjects likely to be discussed. Adding value at the table requires a different perspective from the one we use as internal control advisers. Most internal auditors can discuss internal controls for a new strategic initiative, but when management discusses the feasibility of such an initiative, controls may be just one facet of this.To act as senior management we must also add value to other parts of the discussion. An important part of IIA Globals strategic plan is to support internal auditors across the world in their quest to obtain a place at the table. We can advocate internal auditors and promote the value of internal auditing, but decisions over the scope of the role are made by organisations. Each internal auditor must therefore demonstrate the insight and capabilities to participate in their senior management team. Knowing what we want to accomplish and preparing diligently greatly increases our chances of getting there.

For further information

Richard Chambers writes a blog at www.theiia.org/blogs/chambers and tweets at www.twitter.com/IIACEO

View from the top

Risk exposure controls and opportunities

It is vital that organisations understand the level of risk they areexposed to and factor this into all their decision-making.
Stephen Ireland CFIIA, lead consultant, finance systems and change consultancy, Aviva UK Life

The Chartered Institute of Internal Auditors has made significant progress in recent years. In my new role on the IIAs council I want to ensure that the institute continues to lead and promote the profession and the services it offers to both existing and prospective members. Im aiming to develop close relationships between IIA headquarters and the regions and to stay in touch with local members. Its essential to ensure that their needs are being properly considered when developing strategy and implementing improvements. In light of the current economic conditions, one of the key challenges for the IIA is to attract new talent to the profession while retaining existing members. The institute is working hard to expand and improve the services it offers through the delivery of its Essential to success strategy, which will help to address some of the challenges it faces. Other key tasks for the internal audit profession as a whole include keeping up to speed with regulatory developments and understanding business risks arising from the euro crisis and the effects of Solvency II. This issue of Audit & Risk includes a feature on a recent report by the Institute ofRisk Management (IRM) that highlights theopportunities that can exist for organisationsin setting and managing risk effectively (page 20). It is vital that organisations understand the level of risk they are exposed to and factor this into all of their decision-making so that they understand what could go wrong and the impact that might have. But this should not prevent risks or opportunities from being taken as long

One of the key challenges for the IIA is to attract new talent to theprofession while retaining existing members
astherisks are clearly understood. I believe itsessential for all successful organisations to build risk appetite into their strategies, systems and processes. For all key risks thereshould be specific tolerance criteria agreed by boards and audit committees, which are then reviewed regularly. As the IRM paper outlines, responsibility for risk management lies with all employees in an organisation and the organisational culture from the topdown should reflect this. People could be rewarded for highlighting risks and suggesting solutions to address these. Another option might be to include responsibility for risk management in employees job descriptions and employment contracts. Internal auditors are well placed to provide advice and guidance, working with the business to aid the establishment of an appropriate framework. Inaddition, they can conduct

periodic reviews to ensure that the framework has been embedded. One of the risks highlighted in this magazine (on page 12) and in several other publications lately hasbeen that of individual malpractice. Malpracticewill always remaina risk and, in my experience, it variessignificantly across organisations. There is a view that this risk mayincrease as aresult of the current economic conditions, but well-designed systems and processes with effective controls should minimise it. Organisations should, wherever possible, bemaking best use of the available technology in order to combat malpractice efficiently and effectively.

For further information

Stephen Ireland CFIIA has been a member of the IIA for over 15 years, sitting on the North East committee and serving as chairman for five years before being elected to council in 2011. He also chairs the institutes member network committee, helping to support the regions and their work for members. Ireland has worked in internal audit for both utility and financial services companies and now works for Aviva, delivering change projects into finance, having worked in group audit for a number of years.

Heads of Internal Audit Service

For leaders of the internal audit profession.

In a highly competitive and increasingly complex business environment, its vital that heads of internal audit are at the cutting edge of their profession. The IIA Heads of Internal Audit Service (HIAS) has been designed to keep you informed of the important governance, risk management and assurance practices, as well as connecting you with those who understand and share the challenges you face. Subscribe to HIAS today and: Share best practice Learn from leading experts at monthly face-to-face networking forums Get ahead, stay ahead With regular executive briefings and monthly news updates Network with your peers Access a directory of other HIAS members and chat online in the HIAS discussion forum Benchmark professional practice Gather information via our confidential and exclusive benchmarking service

Subscribe to HIAS today and get 15 months HIAS membership for the price of 12.
Closing date for receipt of applications is 4 January 2012.

Dont miss out, visit www.iia.org.uk/hias and join today!

Feedback

We want to know what you think of the new Audit & Risk magazine and of the www.auditandrisk.org.uk website. These are edited versions of some of the comments weve had so far, but wed like to keep the conversation going and to find out what you want to see in future issues. Please let us know by commenting on individual stories on the website or by joining the discussion forum in the knowledge centre at www.iia.org.uk
First impressions are often deceptive: smaller, fewer pages and where have the page numbers gone? Then it starts to sink in. OK, so the new magazine is smaller, but so is the type and there are fewer big pictures and it feels more like content. Theres more of an edge to the look and it feels more incisive and engaging. The graphics are more current and reflect a more hands-on approach. Somethings happened to the paper as well. No longer is it glossy and glam. Now it feels more purposeful. Then you come to the content. It has a news-like presentation and is to the point. We no longer have people sharing their views, but now we have words by. It also feels as though these writers are real auditors and HIAs. Even the stalwart Neil Hodge I like his work seems to give a more punchy, but considered, perspective. And the postscript information thats provided is also good if Im interested in pursuing further research on an item, I have a starting point. Oh yes, and the page numbers were there at the middle on one side. Right under my thumb. Overall, then, I think its brilliant. Well done, Dr Peters and the IIA team. Its a really professional magazine for our chartered institute. Rogue Trader A change is as good as a rest and I quite like the look of the magazine. It feels and looks a bit like Management Today. The magazines website looks OK and Ill get used to finding things on it, but having two websites to go around seems less user-friendly. For example, where do I go for the latest information and news: the magazine website or the main institute site or both? A magazine every two months and an extra website that initially seems to replicatethe content of the magazine and some of the main IIA website doesnt feel like a wonderfulimprovement or fair swap to me at this stage, but I hope that Ill be convinced by the improved quality of the content as time goes by. Chessh Overall, its a modern magazine for our profession. Its less glossy and more matt and Economist-like. Many readers will still turn to the back pages first, but they will also find a clearer diary of audit courses and events. Maybe in future a PDF or iPad version would allow people to choose whether they wanted the physical magazine any more. But,whileIm not averse to having separate websites, the location of this forum on www.iia.org.uk is a contradiction. The change is appreciated, though. Hainba I like the layout and style. Mind you, I also liked the old-style magazine. Im also happy with it being published every two months, since the articles can seem rather repetitive at times. But I dont understand why some jobs are advertised in the magazine that are not on the IIA site. Ifanything, I would have expected it to be theother way round. Simon An interesting article, as ever, from Lord Smith (Eyes wide open), although I havenever really seen myself as a canary. Still, its better than being a dodo. Aidan This role requires a balanced approach and real bravery (Eyes wide open). I couldnt agree more, but the canary in the mineshaft was sacrificial: when it dropped off its perch the miners knew there was too much methane in the air and they should get out. I dont think many people would want a career in internal audit if our demise was the first indicator that a business was in trouble. Thats the trouble with metaphors. Sarah I like the quality and size of the magazine. I also like the technical Q&A session, which should encourage more internal auditors to use the online forum facility that the institute provides. John

I have never really seen myself as a canary. Still, its better than being a dodo

Looking for more? GO online

Visit www.auditandrisk.org.uk for more internal audit news and a range of resources to help you do your job.

UPDATE
We round up the latest business and regulatory news to affect the internal audit profession.
Cyber threats forecast for 2012
Next year will see new and increasingly sophisticated means of capturing and exploiting user data, as well as a battle forthe control of online information, according to internet security experts. The Georgia Techemerging cyber threats report for 2012 has identified anumber of trends thatwill become increasingly important for organisations to manage. Key issues include the lack of security surrounding mobile applications; the increased threatof botnets (networks of compromised computers used for malicious purposes); the risks facing users of cloud computing; and how information needs to be controlled online.

Internal audit departments falling short on IT risks

Most internal audit teams are still failing to place enough emphasis on understanding and assessing their organisations IT risks, according to the findings of a new poll. An IT audit benchmarking survey by consulting firm Protiviti has found that many organisations, including one in four with revenues of up to $1bn, have not conducted any kind of IT audit risk assessment. In addition, 42 per cent of respondents acknowledged that there were specific parts of their IT

audit plans that they could not address properly owing to a lack of resources and expertise. The survey confirmed that the smaller the company, the less likely it was to have an IT audit function: 43 per cent of companies turning over less than $100m a year had no such department. Of organisations withannual revenues of $100m to $1bn, 82 per cent did not have a designated IT audit director or an equivalent role. Protiviti also found that nearly 70per cent of North American companies and nearly 80 per cent of

companies in Europe, Africa and Asia had not completed an evaluation and assessment of their IT governance process, as outlined in the IIAs standard 2110.A2. Mark Peters, UK director at Protiviti, said: If an internal audit function is not thinking about IT governance, IT risks and conducting an IT risk assessment, it should be. The increased use of, and demand for, technology and data compel companies to review how they are used and the risks this creates. For more information about the survey, visit bit.ly/qH2pxF

IIA endorses advice on risk appetite

The Institute of Risk Management (IRM) has published guidance aimed at helping organisations to improve their understanding of the risks they take when pursuing strategic objectives. The publication has been endorsed by the IIA and other bodies concerned with risk management and accounting. It suggests five tests that an organisation should apply in reviewing its risk appetite framework. It also lists 25 questions for boards to consider.
To download the IRM paper, Risk appetite and tolerance, visit bit.ly/km8Koq

To download a copy of the report, visit bit.ly/pnxp3E

Guidance issued onboard relations and data analysis

IIA Global has released a practice guide entitled Interaction with the board, which is designed to help HIAs meet the requirements of the international professional practices framework to promote better communications with board members. IIA Global has also released aguide entitled GTAG 16: Dataanalysis technologies. This is designed to help internal auditors understand the risks they face when implementing data analysis technology. The two publications can be accessed at bit.ly/pkgcJY andbit.ly/ojSqkb

FTSE 350 leave reporting gaps

Fewer than half (45 per cent) of the UKs biglisted companies clearly explain the potential effects of the risks they identify or how they intend to mitigate these, according to research by PricewaterhouseCoopers. Its survey of the FTSE 350 found a gap between the risks facing the companies and the information provided to their investors. Only 35 per cent aligned key performance indicators (KPIs) with strategic priorities, while two-thirds failed to define their business models clearly in their annual reports. But PwC did make some positive findings: 97per cent of the respondents reported their principal risks; 84 per cent discussed future market trends; and 93 per cent identified KPIs. Visit http://pwc.to/oQ0nPJ to read the full report.

Institute welcomes FRCs proposals on risk disclosure

The IIA has hailed plans by the UKs corporate governance regulator to investigate how companies reporting ofstrategic risks can be improved. The Financial Reporting Council (FRC) wants to ensure that companies inform investors about the specific threats they face, rather than outlining the generic risks that affect all businesses. The council has proposed updating the Turnbull Guidance, which sets out best practice on internal control for UK-listed companies, and it will consider whether the corporate governance code needs to be changed. Jackie Cain, policy director at the institute, said that investors were concerned that the reporting of risk in companies can be superficial. The FRC has highlighted that the

US federal body updates risk assessment guide

The National Institute of Standards and Technology has published the initial public draft of its Guide for conducting risk assessments an extensive update to its 2002 publication. The US government agencyhas expanded the guide to include more information on arange of factors essential to determining the level of information security risk in an organisation. The publication describes a three-step process tohelp prepare for risk assessments, conduct these successfully and keep the resultsup to date. To download the guide, visit http://1.usa.gov/naRLVO

problem is not a lack of information, but a lack of properly focused information. Guidelines on how companies should report their risks would be a huge step. The FRC is not the only body working to make corporate disclosures more useful. The International Integrated Reporting Committee (IIRC) a group representing businesses, accountants and investors has published a discussion paper calling on companies to publish more comprehensive and meaningful information about all aspects of their performance in a more concise and user-friendly format. The paper also offers initial proposals forthe development of an international integrated reporting framework. For more information about the FRCs plans, visit bit.ly/p6XU96. The IIRC paper can be accessed at www.theiirc.org

71%

of HIAs can see substantial scope for improving the understanding of risk across their organisation.

REPORTAGE

Heads of internal audit overwhelmingly believe that the quality of non-executive directors (Neds) and the importance of their role have increased in recent years, according to an IIA survey of more than 200 HIAs. But the findings covered by a range of media, including the Financial Times and BBC Radio 5 live also show that theres still a long way to go in improving board-level risk management in many organisations.

Understanding risk: two main barriers

of HIAs said their Neds were wholly or very dependent on the executive management team for information.

66% 28%

of HIAs said their Neds had an average or poor understanding of their companys operational risks.

To read the report, visit bit.ly/pLRm2b

Key issues

32%

Many Neds fail to probe risks and a significant minority lack the necessary independence: of HIAs said the Neds on their board did not scrutinise risk adequately and17 per cent reported that they did not believe their Neds operated independently enough to challenge the executive management team.

11

28% 63%

Neds analysis of risk may be too narrow: of boards surveyed had no formal process to determine how much risk the business should be prepared to take on and paid too little attention to operational and compliance risks.

In many companies, reviewing risk is left entirely to the audit committee: of respondents said that audit committee members alone had contact with the internal audit team. Consequently, other Neds may be missing a chance to bring their knowledge and experience to bear on crucial risk issues.

Boards scrutiny of risk management still needs to become more robust. This must be the number-one lesson from the financial crisis
Ian Peters, chief executive of the IIA.

12

Backhanders. Bungs. Kickbacks. Payola. Backsheesh. Theres no shortage of slang to describe the dark arts of corruption. Yet such expressions arguably take the sting out of what is, potentially, an increasingly serious problem. According to a recent report by Transparency International, a non-governmental organisation that monitors malpractice, the UK doesnt take the threat of corruption seriously enough. It is clear that there is systemic complacency about corruption in this country, even if the problem is not endemic, says Chandrashekhar Krishnan, executive director of Transparency International UK. Companies with internal auditors are generally well run and less likely to tolerate or perpetrate crimes such as fraud, bribery and corruption. But theres no such thing as a zero-risk environment. And, while most cases of corporate malpractice involve very small numbers of people, the penalties and reputational impact can be serious. Companies with overseas operations face particular risks. This is highlighted by a recent High Court case inwhich the Serious Fraud Office (SFO) took action against Macmillan Publishers Limited (MPL). The initial inquiry started after a report from the World Bank: anattempt had been made by an agent to pay asum of money with a view to persuading the award of a World Bank-funded tender to supply educational materials in South Sudan. MPL was ordered to pay more than 11m in recognition of sums it received, generated through unlawful conduct related to its education division in east and west Africa. This case is one of a growing number pursued bythe SFO under civil, rather than criminal, proceedings. It represents a new and morelenient approach but civil settlement is an avenue that isopen only to companies prepared to step forward and co-operate. Adopting this approachallows businesses to limit the damage if serious wrongdoing is discovered. Were not looking to put anybody out of business, says Jane de Lozey, a senior lawyer at the SFO. But we are looking to stamp out fraud and corruption. What we are offering is a degree of pragmatism and commercial awareness, and were promising to listen. If companies have a genuine intent to clean up their act and to put in place proper procedures, we will work with them to achieve that.

Overlooked and under-reported, the true extent of corporate malpractice in the UK is an unknown quantity.
Words: John Coutts

Bad company

While most cases of malpractice involve very small numbers of people, the penalties and reputational impact can be serious

13

14

Like an individual person, a company canbe charged, tried, found guilty and sentenced. A criminal conviction for a business can spell disaster, in some cases barring companies from EU procurement contracts. A civil settlement, by contrast, allows justice to be done without sinking theorganisation in the process. The real extent of corporate crime remains a matter of guesswork. Few official statistics are compiled none in the case ofbribery. But figures provided in response to a parliamentary question in 2009 revealedthat in the ten years to 2007, an average of 12 people each year were convicted under bribery and corruption legislation. This figure is considered low by international standards. Despite the enactment of the Bribery Act 2010, few experts envisage an upsurge in convictions for corruption, at least for acts of bribery committed within the UK. But the new legislation essential in fulfilling the UKs obligations under the OECDs antibribery convention widened the net considerably by creating a new offence of a failure by a commercial organisation to prevent a bribe being paid for or on its behalf.

Significantly, organisations with adequate policies and procedures in place tocounter bribery are able to offer this as adefence under the new act. Providing assurance to the board, via the audit committee, that those policies are being administered effectively is a key role for internal auditors.

Remote control
Keeping tabs on operations outside the UKpresents a challenge especially in remote locations because, in many cases, companies have to make use of people whoare not employed directly by them. Rigorousselection and oversight processes are essential, therefore. Weve always had a robust process thatwe go through before we sign on any intermediaries or third parties to work on ourbehalf, says Audrey Coutinho, global director for internal audit at publisher ReedElsevier. That means working with people who align with our code of ethics andcode of conduct. But, to a great extent, we make sure that we have our own people on the ground. This gives you far greater controland better audit visibility.

Successful businesses recognise that a zero-tolerance approach is the only way. Thatmeans continuous monitoring and being prepared to take decisive steps, including contract terminations. If you have a gut feeling that something isnt right or if you dont like the way a particular agent is working, find somebody else you are happy to work with, says Coutinho. Its a far more proactive approach than waiting for something to happen. Preventing fraud and creating a climate that limits opportunities for wrongdoing is amanagement function. The role of internal audit is to test that the controls in place to identify and minimise corporate malpractice are working correctly. In the case of BT, that process starts the moment new recruits walk through the door. Staff are expected to abide by the companys code of ethics, set out in a document called The way we work. Regular training and testing is mandatory. Everybody, no matter who they are, hasto complete that training, says James Grigor, director of internal audit at BT. My team provides independent assurance that thisis being delivered effectively.

The role of internal audit is to test that the controls in place to identify and minimise corporate malpractice are working correctly
too afraid to call a stop for fear of revealing hospitality thats already been received. Whats clear is that corruption, particularly in its early stages, is notoriously hard to spot. So what are the warning signs that internal auditors should look out for? One of them is evasive or unnecessarily complicated answers to straightforward questions, says the SFOs De Lozey. Other things to watch for are people who keep cancelling meetings with you and employees who refer everything upwards. A determination to leave no stone unturned is critical in such situations. Be suspicious in cases where copies of documents are provided to you and you are told that the originals are lost, and scrutinise unusual transactions, De Lozey advises. Be aware of any change of auditors and accountants, particularly from one of the large firms to a much smaller one. Internal auditors should also be on the lookout for unusual advisers people or organisations you would not expect to find acting as intermediaries on a particular deal, perhaps because the firm is one youve not encountered before, or one that does not have a reputation in the relevant area.

In large organisations BT employs about 100,000 people good communications are at the heart of sound corporate governance. The success of any audit team depends on how it engages with other stakeholders in the organisation, Grigor stresses. So our relationship with the governance teams, the compliance teams, the security teams and investigations teams is essential. With those functions working together, you create an environment that is tangibly robust to the threat of malpractice.

Lapdog souchong
In well-run businesses, the primary consideration is making sure that corruption is not allowed to take root in the first place. That starts by recognising that malpractice can be a tough nut to crack and it can all start with a cup of tea. Transparency International highlights the practice known as grooming , in which employees involved in procurement are systematically compromised, with cups of tea giving way to corporate hospitality tickets to events and promises of holiday accommodation on the understanding that a particular bidder is favoured. The ramping up of bribes is one of the hallmarks of grooming. By the time large inducements are offered, employees may be

Generally, the use of introducers and anything labelled a commission payment must be scrutinised very carefully, De Lozey stresses. Significant commission payments those outside the industry norm should ring alarm bells. In one case, a company was being run fraudulently and had listed in its accounts sales commission payments to bogus members of staff. If anyone had checked the list of current employees, they would have seen that these names werent ofthis firms members of staff; they were employees of the large company that they were corrupting, and bribing. The difficulty with tackling any fraudulent activity, on any scale, is that the people involved will usually be highly adept at covering their tracks. While theres no magic bullet, persistence by internal auditorspays off. You have to be prepared to dig around, says De Lozey. Be a nuisance and never accept the glib answers that people give you.

15

have your say

Post your comments about this article or the issues raised at www.auditandrisk.org.uk

A glossary of corporate malfeasance

Bribery
Giving or taking something of value to influence a transaction. The legal framework for combating bribery in the UK public and private sectors is provided by the Bribery Act 2010. The legislation created a new offence of the failure by a commercial organisation to prevent a bribe being paid for or on its behalf. cartel arrangements are usually secret, verbal and often informal. Cartels are synonymous with price fixing, but there are numerous other ways in which cartels operate anti-competitively. These include agreeing on output levels, credit terms and discounts. oftradesecrets and intellectual property.

Fraud
An act of deception intended for personal gain or to cause a loss to another party. The offence can include deception whereby someone knowingly makes a false representation, fails to disclose information or abuses their position.

Insider trading
In financial markets, this occurs when an insider deals, or attempts to deal, on the basis of precise information that is not generally available.

Corruption
A broad term covering a wide range of illegal activities, including those such as bribery, in which private gain is obtained atpublic expense. Transparency International defines corruption as theabuse of entrusted power for private gain. Ithurts everyone whose life, livelihood or happiness depends on the integrity of people in a position of authority.

Kickback
That part of the value of a contract demanded as a bribe by an official for securing the contract.

Conflict of interest
This arises when an employee has an economic or personal interest in a transaction.

Illegal gratuity
In effect, this is bribery after the event: giving or taking something of valueafter a transaction iscompleted in acknowledgment of influence over thatdealing.

Cartel
An agreement between two or more businesses not to compete. The Office of Fair Trading notes that

Price fixing
An agreement, usually by suppliers, to sell only at a fixed price (see Cartel). Some types of price fixing are legal.

Corporate espionage
This includes the theft

Seismic precautions

16

This year has provided several reminders that cataclysmic events can occur even in the most developed and stable markets and that the aftershocks can befelt around the world. How well prepared is your organisation for geopolitical risks?
Words: Neil Hodge Main Photograph: Sebastiao Salgado/ nbpictures
The Japanese earthquake and tsunami in March closed the worlds largest market for producing and shipping components, from car parts to computer chips, for weeks. Companies such as Apple which sourced mostof the parts for its iPad and iPhone devices from Japan had to scramble to find alternative suppliers. Meanwhile, revolts in north Africa and the Middle East escalated throughout the spring, reminding companies around the world of the potential dangers for their operations in these markets and demonstrating the damage that political instability can do to production. It is hardly surprising, therefore, that geopolitical risk is a hot topic on the boardroom agenda.This is putting pressure on internal auditors to keep abreast of the new threats and their potential consequences and to challenge management thinking about them. Some industries are more experienced at identifying

The oil and gas sector has operated in high-risk countries ever since drilling began

}
Case study: from prime destination to last resort
Tourism is an industry thats particularly vulnerable to geopolitical risk. Keeping a check on political trends is important to us, as we have hotels worldwide, many of them in high-risk countries in Africa, Asia and Latin America, says the director of security at a leading hotel chain. He says that the groups security management strategy hinges on sound intelligence and information-sharing. Many of the companys security experts have a background in military intelligence. We rely on local expertise to tell us of any threats that may affect our hotels or guests and staff. For example, we had tip-offs five days in advance that the protest in Tahrir Square in Cairo would be met with military force on Friday after prayers. This gave us time to plan and enforce security around our buildings and to advise guests to stay indoors. He says that the Hotel Security Working Group a collaborative group of security chiefs in the worlds biggest hotel chains, including Marriott and Hilton, which is sponsored by the US State Department also provided invaluable guidance. We picked up practical advice from heads of security at other hotel groups that we could compare with our own assessments of the situation. Thisgave us a clearer indication of whether our information was accurate, what actions our rivals were taking and what advice the State Department and the UK Foreign and Commonwealth Office were providing. He believes that such information-sharing arrangements are vital for managing geopolitical risks, adding: Other industries are seeking to set up similar working groups to address these kinds of risks and improve their contingency planning.

Crude tactics: it took nearly a year to extinguish all of the 600-plus Kuwaiti oil wells set ablaze by retreating Iraqi forces during the first Gulf war in 1991.

17

In Egypt Danone had to close its operations for a fortnight while it offered expat workers the chance to repatriate during the uprising

and managing such risks than others.The oil and gas sector has operated in high-risk countries ever since drilling began. BPs board, for example, reviews its key group risks and how they are managed every year as part of its annual group plan. It decides which geopolitical risks it will monitor and which will be allocated to other committees to oversee, with appropriate reporting back to the board. UK airports operator BAA also puts geopolitical risks high on its agenda. It says that unanticipated long-term changes in demand for air travel could lead to misaligned operational capacity. The company conducts a series of scenarioplanning exercises to ensure that it can react effectively to adverse contingencies.

What could possibly go wrong? BAA uses scenario planning to inform its geopolitical risk management strategy.

Fermentation versus fomentation

18

But companies in less obviously dangerous sectors can also be exposed to such risks. French yoghurt company Danone, for example, identifies geopolitical events among the factors that could substantially affect the price of its raw materials for products and packaging. Price volatility will hit the groups financial results, particularly if it cant pass cost rises on to customers. Danone recently expanded into the Middle East and north Africa, but its plans have already hit problems. In Egypt, for example, the company had to close its operations for a fortnight while it offered expat workers the chance to repatriate during the uprising. Its ability to move dairy cattle was disrupted and three of its cows died while waiting for transport. Danone says the problems could have been worse, but adds that it is very aware of the increased political risk of operating in such countries. Yet organisations in some sectors still underestimate the potential impact of geopolitical factors, believing them to be relevant only to high-risk and cash-intensive industries such as mining, defence, energy and tourism (see panel, previous page). Furthermore, companies often think they will suffer littledirect impact if they have no operations in dangerous parts of the world.

In brief
The bad news: geopolitical risk affects all companies, no matter where they operate, through its effects on the global economy and on extended supply chains. While businesses in sectors traditionally perceived as risky tend to monitor and analyse geopolitical risk well, too many see it as irrelevant. This could prove a costly mistake. The good news: internal auditors have a large part to play in raising the profile of these risks at board level and helping to establish monitoring and control processes. Effective actions to mitigate risk need not cost much, although accurate data is vital.

This is a big mistake, according to John Abbott, head of corporate risk advisory services at professional services firm RSM Tenon. Mid-market businesses suffer from the macroeconomic effects of geopolitical risk, such as increased fuel and commodity pricesand lower disposable incomes in emerging markets, which can reduce consumer spending, he says. Geopolitical risk can even affect entities that operate in theUK only. Furthermore, Abbott warns, many mid-market companies are exposed to risks in countries such China because of supplychain problems.This is why the chances of political and environmental turbulence need

Geopolitical risk can even affect entities that operate in the UK only

to be factored into all organisations strategic risk assessments. Internal auditors should ensure that this is done properly with board involvement. For example, he says, organisations may now need to ask will the new regime in Libya be a more or less stable business partner? And how do I deal with my Japanese supplier in the wake of the tsunami? And, beyond this, what are the longer-term impacts of climate change? Geopolitical risk is something that internal auditors should get involved in, he argues. It is up to them to ensure that the company has the right mix of risk management and governance expertise in place to give assurance to the board that

such factors are being considered and that action is being taken to minimise exposures. For example, the internal auditors need to challenge the senior management team with tough questions about how it reviews the companys supply chains and its business-disruption policies andwhether these are tested regularly. Thefunction also needs tomake it clear that, while the organisations direct exposure to geopolitical risk may be low, itsindirect exposure through its supply chainand customers may be high, dependingon whereit sources materials andsells goods, Abbott adds. Paul Sawdon, head of internal audit for the UK at professional services firm KPMG, agrees. It is our job as a profession to ask questions and challenge the board and senior managers about risks facing the business. Geopolitical risks are no different from any other area of risk management in that respect, so internal audit needs to keep asking questions and challenging the management team. If we dont do that, we arent adding value, he says. But, while some organisations may see geopolitical risks as too complex to deal with internally, Abbott believes they may be pleasantly surprised at how straightforward it actually is. A lot of this is based on scenario planning experienced people sitting in a room talking about social and political risk and how it might affect investment in another company, rather than systemic ways of identifying risk, he says. The process doesnt need to be costly, either. Its more about organising the board and non-executives to have the right debate in the right way than about spending a lot of money on advisers and systems, he says. You have to create the right environment in the boardroom to have the debate.

How to mitigate the risks toyour supply chain

Geopolitical events can cause serious disruption to the supply chain and hence the core operations of an organisation, says Sajid Ghani, global managing director at business consultancy PRGX Business Analytics. The internal auditing function can play a significant role by helping to make a data-driven assessment of the risk factors and then by helping to design and maintain assurance over a framework of controls to help mitigate these. First, its vital to maximise your use of accurate supply-chain data, he says. For instance, find out which categories of spend are being purchased (or could be purchased), in which regions and from which suppliers. Higher-value suppliers should be profiled regularly in terms of their financial strength andsustainability. This information can be combined with a regular assessment of the political, geographic and economic risk factors for each of the regions upon which the organisations supply chain depends. By ensuring that an organisation is quantifying its supply-side risks, internal audit is well placed to help designcontrols and measure their effectiveness for example, by making alternative sourcing arrangements, increasing insurance cover or maintaining a disaster management plan. Organisations that are used to living with higher levels of geopolitical risk typically have active supply chain risk management programmes in place, Ghani explains. Thiswill entail making regular risk assessments of suppliers and theiroperating environments, forging close relationships with strategic suppliers and maintaining plan B options to circumvent regional disruptions in supply. Communication with key suppliers can be enabled by a formal supplier relationship and risk management (SRRM) programme. Internal audit can help to make sure that such a programme is fit for purpose and asks theright questions, Ghani says. As partof SRRM, or additional internal audit procedures, you can gain greater assurance by routinely certifying key suppliers for theirsecurity and safety provisions.

19

For further information

the World Economic Forum provides an interactive map of key global risks for 2011. For details visit bit.ly/lEa6Yv

Healthy appetite
As a landmark study by the Institute of RiskManagement highlights, if risk ismanaged properly, it becomes less of athreat and more ofan opportunity.
Words: Selwyn Parker

20

Risk is a many-headed beast that should be handled in a more focused and disciplined way

The problem with risk is that its viewed differently by each organisation, depending on its risk appetite, tolerance of risk and risk performance

peaking in spring, just after the Japanese earthquake, Germanys chancellor, Angela Merkel, said: If the seemingly impossible becomes possible [and] the absolutely unlikely becomes reality in a highly developed country such as Japan, that changes thesituation. The quake and tsunami had dire and unpredictable consequences worldwide, including in Germany, where the nuclear industry now faces an obligatory measured exit by 2022. Good businesses and organisations accept that they face certain risks unexpected, situation-changing events andadopt measures that they believe, or hope, will protect them from the worst effects. But,as the Institute of Risk Management (IRM) outlines in a recent research report,Risk appetite and tolerance, risk is a many-headed beast that should be handled in a more focused and disciplined way, particularly at board level. Until an organisation has a clear view of both its risk capacity and its risk management maturity, it cannot be clear as to what approach would work or how it should be implemented, the report argues.

The upside of this is that, if its properly integrated into an organisation, risk becomes an opportunity to be exploited rather than a threat to be feared. First, boards have a significant amount of work to do. Risk is viewed differently by each organisation, depending on its risk appetite, tolerance of risk and risk performance. Whether it is a matter of setting, monitoring or overseeing risk appetite, this is a subject that has proved to be somewhat elusive it means many different things to many different people, the report notes. For example, some see it as a series of limits, some see it as empowerment, some see it as something that has to be expressed in terms of net risk and others, gross risk.

New perspectives
The report was written mainly by Richard Anderson, IRM deputy chairman, with the help of a heavyweight working group from the banking, resources, telecoms and risk consulting industries. It aims to stimulate a much more enlightened debate on handling corporate risk. It is our view that risk appetite, correctly defined, approached and implemented, should be a fundamental

business concept that could make a fundamental difference to how organisations are run, the report states. But Anderson, a veteran of the risk management industry who has advised scores of companies across the commercial spectrum, believes that if this is to happen it must bepreceded by what may be a potentially agonising, but ultimately rewarding, process ofinternal examination. The main area where organisations are struggling with risk appetite is in getting to grips with the multi-faceted nature of it, Anderson says. For so long risk management has been seen as a simple (and comparatively low-value-adding) exercise, buthere we are saying that its at the heart of a business from strategy to operations and that it is at once about managing people and about dealing with hard-edged numbers. Making it relevant and creating new tensions in the boardroom is going to be hard work, especially when organisations get to grips with the necessary data, he adds. While risk appetite doesnt need to be a new industry, it does have to make a difference. Otherwise, itis a waste of time.

21

The report makes it clear that risk appetite and risk tolerance are inextricably linked to performance

}
bottom. Identifying the risk a company runs is the first step, Cain says. It should begin with people at every level. Risk is not numeric. Theres no one kind of measurement. Often the dangers are obvious.Yet serious threats can also go largely unrecognised andunmonitored if they are harder to trace and define. Cain believes that one of the biggest challenges for boards can be making all employees sensitive to the risk culture. Its the visibility of risk that will be important, she says. The entire exercise is ultimately anchored in organisational behaviour. Carolyn Williams, the IRMs head of thought leadership, says: The biggest hidden risk is actually a rather boring one poor housekeeping. An organisation with low standards of operational performance is so much more vulnerable to problems and to the snowball effect where one problem causes others, with costly consequences. And, as executives at Japans Tepco nuclear power station, which is in effect now under state control, would probably agree, some risks may be beyond a companys control but not necessarily outside its responsibility. You cant manage each risk, Cain says. But it is important to be aware of it and monitor it. The IRM doesnt present its report as the bible on the topic, butrather as a starting point in what promises tobe a long-running issue. As theauthors point out: We do not think that this will be the lastword on the subject in such a fast-moving environment.

Germanys nuclear industry faces an obligatory measured exit because of Japans experience.

22

The proof is in the pudding. In hindsight its indisputable that a more formal analysis by News International of its exposure to risk would have alerted its managers to phone-hacking practices. And, as its congressional testimony revealed, even BPs sophisticated monitoring systems proved insufficient to anticipate, measure and control the long-term consequences of the Deepwater Horizon blow-out. But there are no excuses. Jackie Cain, policy director at the IIA, points out that boards of directors have an official mandate to take such risks into account. A business is responsible for risks that the company runs, she says. The code of corporate governance makes that responsibility specific. And yet the concept of risk is not well understood. The IRM is not proposing a new era of puritanical risk aversion and nor does the governance code far from it. Our underpinning precept is that organisations can progress only by taking those risks that they need to embrace and by managing down those that they wish to avoid, Anderson says. The report makes it clear that risk appetite and risk tolerance are inextricably linked to performance over time. The big question is:

what does successful performance look like? So its not about avoiding risk but about embracing it in the right way. Theres nothing wrong with taking risks, Cain explains. But it must be identified and the company must account forit. Its dishonourable for a company not toknow the risks its taking. Its all aboutaccountability. Thats why, as the report observes, we also anticipate more use of key risk indicators and key control indicators . Much, if not most, of the theory and practice of risk has until recently originated from the financial sector and many there got it all wrong. The quants in the giant institutions convinced their superiors that they had all but eliminated risk in investment banking. Accountants, consultants add, also played their part by relying on an approach that was too mechanistic, being overly reliant on numbers and measures. A box-ticking approach is not advised. Rather, the entire exercise should start at the

Risk is not numeric. There is no one kind of measurement

read more
Find a longer version of this article, including tips on setting risk appetite, at www.auditandrisk.org.uk

IIA Partner feature

Completing the ERM Circle

Andrew Simpson B.Sc. MBA Chief Operating Officer, CaseWare RCM Inc. Introduction The Governance, Risk and Compliance (GRC) profession has evolved steadily over the past decade involving established concepts such as Enterprise Risk Management (ERM) and some relatively newer ones like Continuous Controls Monitoring (CCM). ERM has added tremendous value to organizations by strengthening their internal control systems. CCM helps companies to improve operational performance and lower compliance costs, according to researchers like Gartner. As other aspects of the GRC space consolidate, are there potential synergies between ERM and CCM? Monitoring

The Role of Continuous Controls Monitoring

Bruce Scott FCCA, MBA, CIA, CISA Partner, Risk and Advisory Services, PricewaterhouseCoopers Unlike traditional approaches whereby there is significant work every 3 or 6 months, CCM has its efforts concentrated in the initial implementation. Additional controls can be introduced with minimal cost/effort as the corporate risk management strategy evolves. Such scalability is not available in traditional approaches to assessing controls. Delays in Identifying Breaches With CCM the controls may be tested several times per day, daily, weekly, monthly and so on. If a control breach takes 2 days to impact the company then examining it daily gives management another day to prevent the business from being affected. Waiting 6 months to know the state of a control is simply not acceptable after the investment in time and resources to implement a thorough ERM programme.

While most will agree that there have been varying degrees of success in implementing all elements of the ERM framework, one key element that remains Coordination with the IT Department elusive is an effective monitoring mechanism. A mechanism that not only monitors CCM addresses major concerns regarding the safeguarding an entitys significant risks, but reports, investigates, and of IT assets; primarily data. The entire data extraction, escalates in a timely fashion, throughout the organisation. consolidation and control assessment is done in a secured While most will agree that The importance of monitoring has been entrenched in the environment. Even the remediation process performed by COSO ERM Integrated Framework by assigning it an management is stored in a secured database. there have been varying entire section of the COSO cube. The recurring demands on the IT department to provide Specific Challenges degrees of success in reports for risk owners for them to determine the adequacy Time taken to Perform Self Assessments of the control is time but with CCM this process is implementing all elements implemented once and then automated. Management is One of the biggest challenges is the time required by risk only notified if there is a problem or a potential problem. owners to ensure that significant automated controls are

in fact working. For example, a mortgage company has a Transparency in Reporting risk of losing millions of dollars where penalty charges on key element that remains Remediation of control breaches is just as important as late mortgage payments are not being properly calculated detecting them initially. The CCM framework ensures that elusive is an effective and booked to the mortgagors accounts. The risk owner once the issue is detected it is assigned to the relevant now has the challenge of selecting a sample of late person, timelines are established and an escalation path monitoring mechanism. payments from a past period, and testing the controls determined. Other critical players are also notified such as manually or, with the assistance of a spreadsheet Internal Audit, Risk and Compliance. There is no application. Note that all of this has to be done while the risk owner continues to opportunity for the issue to be concealed and therefore all stakeholders are inclined perform his or her normal operational activities. to collaborate and resolve the breakdown in control. Delays in Identifying Breaches There is a delay between when a breach occurs and when it is identified. Testing the rules discussed above regarding late mortgage payments from a past period is useful but does not address the issue of potential losses because of the delay in detecting the problem. Coordination with the IT Department Risk owners will sometimes request data from IT to upload to local spreadsheets for testing. This introduces data security risks as large volumes of sensitive data become resident on local computers which may not be properly secured. Transparency in Reporting Once the relevant self assessment tests have been performed, the results are not always thoroughly investigated and/or reported to the Board or Audit Committee where serious breaches have been detected. Managers face a significant ethical dilemma as reporting serious breaches may reflect negatively on their performance and could also affect incentive payments and job security. Overcoming ERM Challenges with CCM Time taken to Perform Self Assessments CCM is implemented as an independent testing mechanism whereby controls are assessed by examining the core applications data. This is fully automated and Management only needs to react to the control exceptions but more importantly the adequacy of the control is being determined independently. Role of Internal Audit Leading ERM methodologies require Internal Auditors, like Management, to play a key role in ensuring that an entitys high risk areas are monitored. In environments, where CCM is first implemented by internal auditors (continuous auditing), the auditors image and reputation in the organisation is significantly enhanced. This frequently results in management asking the auditors for advice and direction as they move to install their own CCM solution (continuous monitoring). In these situations auditors must be careful that their independence is not tainted based on their close association with managements CCM implementation. This can be managed by ensuring that the Departments role is solely that of an advisor. Conclusion Allowing CCM and ERM to enhance each other will solve many long standing challenges in governance, risk and compliance disciplines. ERM should be used to establish the foundation for implementing effective internal controls monitoring, while CCM should be used as a powerful tool to provide more independent and timely information on the effectiveness of internal controls. When implemented properly, management and other stakeholders will experience a remarkable improvement in the value added by both CCM and ERM primarily by creating a sustainable and dynamic internal controls environment. Based on the whitepaper, Completing the ERM Circle with Monitoring. Visit www.caseware.com to download.

of the ERM framework, one

IN PROFILE:
The IIAs president, David Reynolds, has been involved in internal auditing for nearly 25 years. Since leaving his position as director of internal audit and regulatory compliance at BT in 2007, he has held the chairmanship of the IIA Scotland committee and hasserved as a member of council and as the institutes deputy president. He also has a directorial role withthe UK arm ofUS-based consultancy MorganFranklin.

On 5 October the IIA welcomed its new president and deputy president. Audit & Risk caught up with DavidReynolds FIIA and Nicola Rimmer CFIIA to hear about their hopes for the institute and the profession.
Words: Alice Hoey Photograph: Charlie Hopkinson

New voices

24

IN PROFILE:
Nicola Rimmer has been an internal auditor for over 13 years and a qualified member of the IIA for almost as long. She has worked largely in the financial services sector, in large and small teams and at various levels, and is currently an audit manager at Friends Life. Within the IIA, Rimmer has held positions at district and council level, and has served on various committees, including the member network committee.

Internal auditing is under the spotlight, arguably in a very positive way and increasingly because we, the institute, choose to put it there

David Reynolds Fiia

iia president
I believe that my experience and energy has served, and will continue to serve, the institute well during these early years of chartered status. It will be vital for us to make our mark in the business communities of the UK and Ireland, as well as with our colleagues and stakeholders here and overseas. Our efforts to provide a stronger voice to the IIA, an incisive commercial edge and a more productive engagement with heads ofaudit are vital to the growth and strength of the institute and worthy of strong leadership and direction from the president and deputy. I can commit to that and know that I can contribute directly and positively. s

25

The profession is maturing. We are takingour place at the top table as a key part of the corporate governance framework

}
qualifications are designed to provide a good framework of knowledge, while its courses, events and discussion forums provide a fantastic chance for members to network, share experience and gain knowledge. Im also looking forward to promoting our profession more widely. Ill be supporting the president and the CEO in driving the IIAs strategy in particular, working with regulators, external auditors, boards and audit committees and other key stakeholders to promote the internal auditing role. By increasing our profile in the mainstream business media, we would hope to extend our reach to a wider audience. We must also look to promote a wider understanding among the public about what internal auditing is and what we do. This is extremely important for a professional body that has a public-interest dimension to its charter. Internal auditing is increasingly coming under the spotlight. The profession is maturing and we are taking our place at the top table as a key part of the corporate governance framework. No other profession provides such insight and ability to influence across the whole organisation. But we cannot be complacent, and I am also looking forward to engaging with the wider profession in order to promote the IIAs work. Commentary on corporate governance and risk still doesnt include the role of internal auditing as a matter of course and our function received very little attention in the research into, and explanations of, the financial crisis. We have an ambitious strategy in place to develop and promote the profession, as well as to engage the leaders of the profession. As deputy president, I can positively contribute to the success of this strategy.

26

Internal auditing is under the spotlight, arguably in a very positive way and increasingly because we, the institute, choose to put it there. Weve done a great job over the past 18 months in delivering the strategy outlined in Essential to success and well keep beating that drum. But we must now also form clearer policy positions on key areas, such as our relationships with regulators, external auditors, boards and audit committees and risk management functions. What status should our reports and opinions have and how should they be used? And how should we exercise our responsibility to engage at strategic management level? The IIA executive and council have started working on this policy challenge, backed up by research and opinion-gathering that will allow us to fight our corner. We need heads of audit to collaborate with us to support and guide the development of those policies. We also need to explore whether and how we can make better use of our relationships with the eight sector-specific special-interest groups. These are seldom used to help shape our thinking. The IIA doesnt have the capacity to understand and intelligently opine on the specific needs of every sector or, for that matter, those of the governments of the UK, Ireland and the EU. Although the special-interest groups, our regions and the European IIA organisation can help, we will need to prioritise the policy areas we tackle. One area we cant ignore is the public sector, from which comes a sizeable percentage of our members. The need to develop our influence and policy applies equally to the public sector and the private sector, and it is pleasing to see the progress made with our colleagues in CIPFA. I am quietly confident that this collaboration will bring significant value to both institutes.

Ensuring that we continue to identify and meet members needs is vital

We also have wider aspirations and are fully engaged with IIA Global and in developing a global strategy. We expect to host the IIA Global conference in 2014 and have made good progress regarding the potential forour Advanced Diploma to be part of a global suite ofqualifications. While we may not instinctively seek the limelight as practitioners, we must be highly visible in our organisations, from top to bottom, if we want to be truly influential. But, more than that, if we want to meet our ambition to be trusted advisers and strategic partners, we must also be knowledgeable about our organisations and how the components fit together from an internal control and risk management perspective. We must also be alive to the negative and sometimes corrosive cultural issues in our organisations and be willing and able to tackle them head on.

Nicola Rimmer CFiia

iia deputy president
In this new role Ill welcome having more opportunities to meet and engage with our members. We are a membership organisation, so ensuring that we continue to identify and meet members needs is vital. Im keen to work with internal auditing practitioners to understand how internal auditing is being conducted and to share best practice on how we move towards being trusted advisers and strategic partners in our organisations. It has been a turbulent time for all organisations over the past few years and our members face challenges concerning how we can provide assurance in such a changing risk landscape. But the IIA can help in many ways, including through the information and insight provided by our magazine and website. The institutes

For further information

members can contact the institutes new president directly at thepresident@iia.org.uk

Demystifying risk management

Demands from stakeholders, increased business performance expectations, heightened external scrutiny and rising compliance costs have driven risk management and internal audit to the top of the corporate agenda. To address the rising expectations of chief stakeholders, internal audit needs to find new ways to deploy its risk and control based skills to help the organisation achieve its strategic objectives. Attend this one day seminar and find out what is happening in risk management and how internal audit can create a new value proposition.

Dates/locations
10 November Leeds 7 December London

Implementing the cloud Benefits, challenges and risks for internal audit
Cloud computing will impact all areas of your business, including people processes and systems. With this new technology, risks are elevated as internal IT privacy and data controls and compliance models are replaced. A cloud strategy vetted and supported by internal audit will help organisations take advantage of the compelling cost benefits while managing potential new risks. Attend this seminar and learn how cloud will impact your business and what control assurances internal audit could provide.

Also coming up
The Bribery Act what it means for internal audit 17 November Bristol 1 December Worthing

Dates/locations
24 November London

For full details please see our website www.iia.org.uk

Crime Inc

Organised criminals pose serious risks to local authorities. The audit manager at Falkirk Council has tackled the issue head on, raising the profile of internal audit in the process. Words: Christian Doherty
Agency (SCDEA), OConnor soon realised that Falkirk had to update its response to these threats. SCDEA emphasised that the key to defining organised crime is that criminals are looking for power and profit. Anywhere theres an opportunity for these they will look to exploit it, he says. Once he understood the reach, capability and sophistication of organised crime, OConnor saw that failing to address the risks left the council vulnerable in many ways. Falkirk is between Glasgow and Edinburgh, so were between two centres of organised crime, he explains. The feeling we got from SCDEAs mapping was that, as criminals are pushed out of the big cities, areas such as Falkirk become increasingly vulnerable and attractive to them. Authorities such as Falkirk are also attractive because they are perceived as having less knowledge than their large city counterparts do of organised crime and fewer resources to combat it. But, with 7,000 employees and a budget of about 350m, thecouncil still presents a big target for criminals. Pressures on budgets have increased the perception that smaller local authorities are relatively defenceless. The watershed moment came in June 2009 when the Scottish Serious Organised Crime Taskforce released its Letting our communities flourish strategy and we heard for the first time the types of organised crime risks that an authority could be exposed to, OConnor says. The strategy focused on four Ds: divert individuals from crime; disrupt organised crime; deter criminals from targeting various groups; and detect criminal activity. We thought this is potentially pretty significant. After that, given our responsibility for providing assurance to the councils audit committee, we couldnt ignore it, he says. So OConnor, Templeton and Carmichael started working on an approach for assessing risks posed by organised criminals to local authorities. First, they had to get to grips with different activities perpetrated by organised networks and understand the scale of the problem. Then they could design an audit and assurance framework to meet the challenge. This wasnt easy, since organised crime thrives on secrecy. The unknown, more than the known, grabbed our attention, OConnor explains. It made us think beyond organisations from which we purchased goods and focus on those that we contracted with and granted licences or planning permission. Closer to home, OConnor had to consider ways in which council property could be used for criminal activity from cannabis farms to prostitution and people trafficking as well

28
hen local authorities highlight their risk exposure priorities, increasing emphasis on value for money and efficient delivery means it tends to be easier for audit teams to focus on these than on issues concerning fraud, corruption and crime. But Gordon OConnor CMIIA, internal audit manager at Falkirk Council, along with auditors Graham Templeton CMIIA and Sandy Carmichael, recognised in 2009 that, unless their organisation took a new approach to organised criminal activity, it risked being an easy target. First, they had to learn more about what they were up against. When we started, we saw organised crime as being like gangsters on TV mafiastyle figures but doing this work weve started to understand that organised crime is run like big business, OConnor says. Organised crime involves more than one person; requires control, planning and specialist resources; and causes, or could cause, significant harm while benefiting the criminals. The breadth of the councils activity and operations exposes it to many types of organised crime. Working alongside the Scottish Crime and Drug Enforcement

Key vulnerabilities
The procurement of services. Taxi services, for example, are often used as fronts because they have a high cash turnover. The use of council property for illicit activity (people trafficking, prostitution, etc). Fraudulent applications for council funding. Information risk. Staff who access sensitive data are vulnerable to coercion or bribery. Internal fraud. Disgruntled or compromised employees can access finance records or sensitive information.

{
sharing information and having protocols inplace, says OConnor, who adds that managers are more aware of the risks they need to deal with in their departments. The senior management team is taking the threat from organised crime seriously, too. The objectives of the Letting our communities flourish strategy are embedded in operational and audit strategy, and links between the council and law enforcement authorities have been strengthened. The council has also considered its whistle-blowing procedures, beefed up its anti-money-laundering procedures and improved its communications with external agencies. Now internal audit must ensure that it stays on senior managements agenda, OConnor says. It mustnt be a six-month fad before normal business is resumed and financial pressures push it off the radar again. He believes that adding organised crime to the list of audit items would have failed if it had fundamentally changed the way the council worked it would have used disproportionate resources and left gaps elsewhere. Raising organised crime as an audit item has also brought unexpected benefits. It has boosted the profile of the internal audit team, and it has added freshness to our approach and outputs without necessarily using more resources, OConnor says. And the response has been positive. Weproduced a document that sums up our work, the risks we looked at and the questions we asked, making that available to various bodies and across the Scottish Local Authorities Chief Internal Auditors Group. Responses suggest that other councils are keen to work in this area, he says. The initiative was highly commended in the 2011 Cliff Nicholson Awards for innovation and excellence in public service audit. But, what is most important is how much more aware our managers are of these risks than they were before, OConnor says.

as fraudulent expense claims and benefit scams. Once he could see the risks, he worked with SCDEA to map vulnerabilities against police intelligence in order to establish key areas of local authority operations and see whether there was an established link to organised crime. The next stage was to revisit the audits planned for 2010-11, OConnor says. Looking at areas such as providing external funding and purchasing taxi services, we thought about them from a serious organised crime perspective. We tried to think of risks that we hadnt considered before. It soon became clear that equipping the authority particularly the internal audit function with a useful framework for mapping, rooting out and protecting against organised criminal activity would require a change of approach. That challenge was increased by pressure on budgets. We cant scrutinise every pound we spend, OConnor says. But were exposed on several levels and we have to think about how we deal with it how we recruit and vet

new staff and how we vet suppliers and the people responsible for providing goods and services and for delivering contracts. He therefore looked for ways to overlay awareness of the issues on established audit protocols. The audit process hasnt changed fundamentally, but the thought process before each audit has, OConnor says. Ive got a set number of audit days, so I cant afford to dedicate a huge number of these to serious organised crime. But if were going to audit procurement, say, then we will consider these risks at the planning stage and build this into the process. In the case of a taxi contract, for example, the audit team now considers issues ranging from information sharing and procurement policy to operator and driver licences and fit-and-proper person tests. These changes have led to a much clearer understanding of risks and areas to improve. Weve got the messages across and were now more aware of the benefits of

It mustnt be a sixmonth fad before normal business is resumed

29

Tools for the job

Top tips for enterprisewide risk management

Allan Gifford, principal consultant with DNV , offers his eight pointers for introducing risk management across an organisation.
The key to good enterprise-wide risk management is to define success and then identify the appropriate actions. Its important to be proportionate in your response to problems in order to win friends theres no point in using a sledgehammer to crack a nut. Good preparation will help to ensure that actions are relevant. Update your risk registers regularly to drive actions and remember that accurate information is essential in order to monitor these. confidentthey feel about their ability to manage risk.

5 6
what comes out of the process. It is too easy for companies to become lazy and to rely on routine. Risk workshops are a good way to achieve a common understanding of your definition. consequences of a serious risk and the barriers, such as systems or people, you need in place to limit your businesss exposure.

Avoid using jargon. You need to be able to talk the language of business as well as the language of risk. If not, you will put up barriers and managers will view you as an outsider. Brief or train those who govern the organisation. If you dont think this is important, ask yourself how often risk information that is passed up through your organisation is used to change a process. The objective is to make change happen.

30

Work to a structure. Even the most entrepreneurial business needs some structure for its risk management, whether that involves following set guidelines or a code of practice. There are several of these already available. For example, ISO 31000, Risk management: principles and guidelines , defines the practice of risk management as it moves from principles to framework toprocess . In addition, you need to identify the roles in your organisation that need to be given risk-related objectives. Define success. If you havent defined what success means for your organisation, this shortcoming will be reflected in

Keep risk registers fresh and relevant. There is a huge variety ofrisk registers, many examples of which are available on the internet, so check these out for ideas. Remember that you must identify what information your business needs to collect and how it will be used. One useful tool is bow-tie analysis . This offers a visual representation of the causes and

Retain knowledge. Mostof the information we refer to is kept on paper or in IT systems. Your business needs to capture information and store it in an accessible format before key people move jobs and take their tacit knowledge with them. It also needs to have the right culture in place. One way to ensure this is to run an annual survey. Employees canbe asked questions abouthow competent and

Understand the interdependencies across your organisation. Consider how all the businesss risks link with each other. Continually assess performance. Benchmark your businesss risk management against that of other similar organisations and see how your systems measure up to theirs. This article is based on Allan Giffords seminar at the IIA conference. For details of IIA training courses on risk, visit bit.ly/oPuqHF

Career development

A word with thewise

A good listener is a hugely valuable commodity, writes Rachel Bowden, who gives her perspective on the value of mentoring in internal audit and how to make it work.
You can provide anyone with a mentor, but this is unlikely to addmuch value unless they want mentoring, understand its purpose and are clear about what they want to gain. I dont think that being mentored is about learning or developing your skills. In my experience it was more about helping me to see a way forward and taking time out to think about my career. Whether youre unsure about how to handle a particular issue at work or youre thinking about your future career path, it can help to have a mentor who is frank and honest, and with whom you can have an open discussion.They can act as a sounding board to bounce ideas off and ask those difficult questions.You may learn from them as a result, or the process may stimulate your thoughts and help you to learn from yourself. I sought a mentor because Ifelt that it could be very useful tomy career development, and Ireceived mentoring that was organised formally.The HR department provided a number of seminars to help new mentors understand the importance of the process, what it is all about and the differences between mentoring and coaching, supervision and management all of which are different but do overlap. While some mentees may choose to meet at a regular, set time with their mentor, I preferred to make it less rigid. Iarranged the meetings when Imost needed an opportunity to discuss ideas away from the core team and the day job. At my firm, mentors often come from other service lines, which means they can provide a different layer of challenge a mentor from another team or discipline may see issues from adifferent perspective. When I worked as part of the internal auditing team at a previous employer, I found it particularly useful to have a mentor from a different part of the business. I would therefore advise internal auditors seeking a mentor to try to find someone from a front-line or operational area of the business. It can help you as an internal auditor to understand that perspective and, as we know, one of the key things senior stakeholders want from internal auditors is a full understanding of the business. I have also played the role of mentor an experience that I really enjoyed. Its a great feeling to watch someone develop or

31

move forward on their career path and feel that you have helped them in some small way. Many people will stay with a particular mentor for only a finite period.To me thats natural, because you will want different things from a mentoring arrangement at different points in your career. As a mentor, you have to be a good listener and should help the mentee to find the answers rather than providing them yourself. Its also important to remember that the relationship is confidential and to build an atmosphere of trust.The mentee may need to open up and share some personal and sensitive information with you.

If youre looking to be mentored, you should think carefully about what you want to gain from the experience.This will also help you to find the right mentor.You should prepare for meetings with your mentor.That individual is investing time in you, so respect the process and ensure that you gain as much from the opportunity as possible.

Rachel Bowden
is a director in RSM Tenons risk management service line. She is responsible for supporting the development of a team of internal auditors and chairs the IIAs guidance working group

You asked us

Q&A

Our technical helpline provides valuable advice to members on ahost of professional issues. Hereare some of the questions youve submitted recently.
Q: Before the evolution of risk-based internal auditing, findings were reported by control. What is best practice today for internal audit reporting? Should findings be reported by control or by risk? A: Given that internal auditing isall about providing assurance on the management of risk, a reporting method that aims to highlight risk and the effectiveness of risk responses isgood practice. I would suggest starting yourreport with an overview of how the risk management process is applied in the area youare considering. For example, does itfollow policies and procedures;are risks regularly discussed and updated; and are responses reasonable? This will set the scene and allow you to say something positive, aswell as providing an overview and opinion of how well risks arebeing managed in general. Itwill provide a balance. When you agree the scope of the audit, it is logical to describe the high risks you intend to look at and then report against these headings in turn. The IIAs international standards and guidance are not prescriptive on how reports should be presented.There are no definitive templates, as it depends what works best for your organisation. But you will find one report template in our online resource library, along with a number of examples of how other internal auditors grade recommendations (visit bit.ly/oiMYLp). If you would like to add your report format, please send me a copy. Q: Is there a best practice or recommended standard for the frequency at which a company should rotate its external auditor firms? A: For the UK and Ireland, the auditing practices board of the Financial Reporting Council issued a revised ethical standard 3: Long association with the audit engagement , in 2009.This states that an external audit engagement partner should be rotated every five years. The firm does not then participate in the audit engagement for a further five years, although flexibility of up to an extra two years is permitted in some cases. But this flexibility applies only to changing the partner, not the audit firm something that has been resisted strongly by accounting firms. It seems to be at the discretion of the audit committee, based on whether it feels that its getting a good service and value for money.

32

Regulators seem to be exercising their powers and rights more since the crisis
Q: What is best practice for asubsidiary whose local regulator requires the internal audit services provided by its parent company to be formalised in aservice-level agreement (SLA)? In particular, the local regulator insists that the SLA allows the local subsidiary toappoint and replace the internal audit function. A: The international standards and supporting guidance cant cover every eventuality, so there is no specific material on your particular situation. This is a governance and relationship management matterthat really needs to be discussed by all the parties involved. It may even be something for the group board to consider and resolve. Perhaps it is a sign of the times, but regulators seem to be exercising their powers and rights more since the financial crisis.The local regulator and the local board need to ensure that they have sufficient internal audit assurance, particularly if the local firm is outsourcing its internal auditing to group internal audit hence the need for an SLA. At the same time, I can appreciate that the group board must maintain control over subsidiaries and requires a wider perspective on risk and control, not to mention the cost of internal audit.

Got a question?
Contact Chris Baker on the IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

Getting qualified

Student noticeboard
Essential information for exam candidates. Visit the student information centre at www.iia.org.uk for updates
November 2011 exam series: authority-to-sit correspondence
Correspondence was sent on Monday 24 October to students registered to sit the exams. Candidates must present a copy of this on entry to the exam venue, as well as photographic ID. If you have not received your correspondence, contact exams@iia.org.uk or call Aneta Zieba, assessment coordinator, on 020 7819 1928. Pre-exam instructions and exam regulations are available in the student information centre at www.iia.org.uk. Students must read these before the exams. Details about exam venues are available on the Examinations web page.

Extenuating circumstances
If you would like extenuating circumstances to be considered for these exams, you should read the relevant policy in the Regulations and policies section of the Examinations pages in the online student information centre. Chief examiners advise that any circumstances cited should

apply on exam day. While definitions of an extenuating circumstance must be flexible, claims will be tested by focusing on the effects they could have had on exam day. Circumstances that affected someones preparation for weeks or months beforehand, and which they claim affected their performance, will be scrutinised rigorously. Students wanting to submit details of extenuating circumstances that occurred on exam day must do so within a fortnight of the exam. Correspondence must be supported by evidence in accordance with the policy.

applications to external bodies to recognise their qualifications. Since 2007 it has recognised the IIAs professional qualifications as postgraduate level, with up to 60 credit points for each IIA Diploma and IIA Advanced Diploma, and up to 30 for the IIA Qualification in Computer Auditing. These ratings can be used when applying to study at higher education institutions. Awards of specific credit can be used towards particular OU distancetaught qualifications. Visit the Open University accreditation pages at www.iia.org.uk for details.

Accreditation from Exam pass notes the Open University Visit the Audit & Risk website at
The Open University (OU) awards general credit rating bit.ly/rli7eo for a guide to exam technique by two examiners.

33

November 2011 exam series

Exams will be held from Monday 21 November to Thursday 24 November inclusive. Module IIA Diploma IN INTERNAL AUDIT PRACTICE P1 The Internal Audit Environment P2 Financial Risks and Controls P3 Internal Audit Practice P4 Information Systems Auditing P5 Corporate Governance and Risk Management P7 Internal Audit Practice Case Study Monday 21 Tuesday 22 Tuesday 22 Wednesday 23 Thursday 24 Thursday 24 9.30am to 12.40pm 2 to 5.10pm 9.30am to 12.40pm 9.30am to 12.40pm 9.30am to 12.40pm 2 to 5.10pm Date Time

Materials for case studies, past-paper packs and chief examiners reports
Case study materials for the IIA Diploma and the IIA Advanced Diploma are available in the student information centre. Past-paper packs and the chief examiners reports for the June exams are also available in the student information centre.

IIA Advanced Diploma IN INTERNAL AUDITING AND MANAGEMENT M1 Strategic Management M2 Financial Management M3 Risk Assurance and Audit Management M4 Advanced Internal Auditing Case Study IIA IT Auditing Certificate A1 IT Auditing Certificate multiple-choice questions June 2012 exam series Exams will be held from Monday 11 June to Thursday 14 June 2012 inclusive. Monday 21 9.30 to 11.30am Monday 21 Tuesday 22 Wednesday 23 Thursday 24 2 to 5.10pm 2 to 5.10pm 2 to 5.10pm 2 to 5.10pm

Congratulations to the IIA members below, who were successful in the June 2011 exams.
The Chartered Institute of Internal Auditors is the only organisation offering recognised professional qualifications for internal auditors in the UK and Ireland.

In June 2011, the following students successfully completed the examined element of the IIA qualifications: IIA Advanced Diploma in Internal Auditing and Management exams completed
Asher, Bridget L Ashford, Natasha Atherton, Sharon L Atkinson, Neil A Barry, Helen Blewitt, Justin D Bowe, Jeffrey Buchanan, Alexandra Chapman, Amy J Chappell, Katharine L Cook, Gillian H Cooper, Darren Cullis, Dean G Delaney, Thomas P Edwards, Stuart R Fitzsimmons, Penny Flavelle, Rebecca Foster, Alastair J Gallagher, Peter J Graven, Michael N Hamel, Brian A Harris, Andrew Hastie, Hazel Havers, James M Hellary, Daniel Higgs, Helen James, Caroline P Jenkins, Richard John, Lea Kenny, Chris Kerr, Clare L Kumi, Anthony Lewis, Michael J Lye, Patrick N Maddock, James Mason-Bell, Angela McCavigan, Tracey Mills, Louise P R Mingout, Deborah Moloney, Paula Murray, Fiona H Ojo, Ayodele Patel, Krupali Puddicombe, Charles A Scott, Robert J Scutt, Jon Self, Sarah M Sharman, Teresa C Sharpin, Linda Stewart, Gary Tye, Graham R Vaughan, David J Woodhouse, Scott A Woolley, Rob

34

IIA Diploma in Internal Audit Practice exams completed

Barry, Marian Bartholomey, Jennifer Batey, Michael H Beville, Paul Guy Blake, Eamonn Bradshaw, Heather

Bray, Sarah Brewster, Martha Y Clark, Peter Clarke, Paula Clarke, Stephen W T Cleary, Michael Clifford, Barry Cowell, Ian J Davey, Julie-Anne Davidson-Dell, Simon Davies, Karen L Dean, Anthony Dempsey, Kim Dent, Michael R Devine, Gail L Downer, Stephen P Elliott Cartwright, Lee Fargus, Peter R Finnerty, Jason Fitzgerald, Anna Fleming, Ian Forster, Erin Fuller, John R Fuller, Katie Ann George, Lisa E Gibson, Gary Halliday, Neil Harper, Jennifer Harrison, Andrew Heasley, Roger J Hedley-Smith, Martin Highton, Dawn C Hilling, Sally Hirst, Matthew Hughes, James A Jolliffe, Hayley M Jones, Myra L Kelly, Elizabeth A LAbbate, Helen Lacy, Kelly A Lawes, Amanda Leggett, Stephanie M Ling, Jeanette Liveston, Kirsty Marshall, Imogen McKenna, Fiona McNeill, Gerald McWatters, Caroline Millar, Dermot P Molyneux, David G Moore, Paul W H Murfet, Neil R OConnor, Damian P OConnor, Stephen OKeefe, Paula Oakley, Katharine Parish, Emma Patel, Jashita S Peacock, Sean Pinkerton, William Plaskett, Sarah Pople, James S Purvis, Neil Rai, Ramesh Raine, Linsey Rayner, Sara Redmond, Jonathon K Robinson, James Shield, Bernadette Sisson, Paula Slater, Christine A Snell, Mark J Tallon, Una Taperell, Alice E Taylor, Angela Timothy, Oliver Towse, Mark N Trimarco, Marcus J Turner, Nadine Ujah, Chinyere C Wain, Ashley A Wakefield, Ryan D

Walsh, Susan Whan, Gavin Whitehead, Mark Whyte, Judith R Wilkinson, Tracy Willetts, Karen Williamson, Peter J Wilson, Andrew J Windsor, Graham Wood, Chris Woodward, Julie L Yardley, Caroline

IIA IT Auditing Certificate exam completed

Ballard, Sylvia Connolly, Emma J Merrell, Andrew

Rayner, Sara Richardson, Angela Robinson, Dawn M Robinson, James Simonite, Kyle Spilsbury, Grant B Swainson, Karen A M Talwar, Kieran Tang, Adrian Thrupp, Michael Tod, Graeme D Tse, Lewis Turner, Nadine Ujah, Chinyere C Wain, Ashley A Ward, Theresa R Wilkin, Gary A Wilkinson, Tracy Wilson, Andrew J Wong, Maurice Young, Samantha

Ujah, Chinyere C Varvill, Richard Von Wenden, Svetlana Wain, Ashley A Ward, James Lee Willetts, Karen Williams, Nanette R Wood, Chris Wootten, Jenny R Wright, Matthew Young, Samantha

Tang, Adrian Taylor, Paul Thrupp, Michael Tong, Jennifer Verma, Pooja Vicary, Yvonne J Vipond Murray, Victoria Ward, Theresa R Windsor, Graham Wong, Maurice Yorkston, David

P3 Internal AuditPractice
Adeyemi, Abimbola Atwal, Jaswinder K Baird, Barbara Beckett, Kelly M Bessell, Robert Beveridge, Francesca Bolster, Peter Bolton, Melissa M Bourke, Anna Brown, Steven E Chambers, Paul G Clarke, Steven Colbert, Suzanne J Coles, Stephen D Collins, Jonathan Cowie, Amanda J Craddock, Victoria M Dawson, Carlien Dean, Anthony Del Greco, Gabriella A Elliott, Nicola L Enfield, Mark Evans, Julie Fargus, Peter R Faulkner, Nicola L Fell, James Fines, Barry J Franks, Grant W French, Christopher B Garden, Susan J Garner, Gemma L Haggerty, Robert J Hardwick, Victoria Hayre, Baljit Haywood-Evans, Andrew Heather, Alison Hussain, Zakir Jackson, Christopher Jackson, Craig S James, Derly E Kerr, Stephen G Lambert, Paul Le Roux, Lone K Leckie, Evelyne H Liveston, Kirsty Lovell, Daniel M Maggs, Ian P Matkin, Katerine M McMahon, Rebecca Molyneux, David G Morgan, Gail Mulholland, David J Nicholson, Christian M Norman, Suzanne P Peacock, Sean Powell, Gemma K Rai, Ramesh Ravindranathan, Ramah Rice, Michael L Roblin, Lloyd Sethi, Nittan Shepherd, Anna Shield, Bernadette Smith, Frances Smith, Karen Patricia Southgate, Laura Swainson, Karen A M

P4 Information Systems Auditing

Atwal, Jaswinder K Aziz, Asma Banu, Rahela Bartholomey, Jennifer Beville, Paul G Bolster, Peter Bourke, Anna Bradshaw, Heather Bray, Sarah Brewster, Martha Y Briers, Imogen Bykova-Nimmo, Iryna Clarke, Paula Clarkson, Barry Coleman, Susan Colyer, Gary C Cooper, Richard B Coughlan, Alexandra Coveney, Paul D Cowell, Ian J Crane, Lewis J Dadhania, Jasmine Davies, Karen L Dennis, Hannah E Dent, Michael R Fargus, Peter R Fell, James Forster, Erin Gibson, Gary Gilchrist, Laurie J Girvan, Deborah Hetherington, Julie Hilling, Sally Hirst, Matthew Jackson, Peter W Jonas-Nartey, Jocelyn Killen, Melanie Kondratowicz, Teresa Leggett, Stephanie M Ling, Jeanette Marshall, Imogen Martin, Mairead R McNeil, Isobel M Murfet, Neil R Newell, Katherine J OConnor, Damian P OConnor, Stephen Osborne, Andre Payne, Clive Peak, William J Pinkerton, William Plaskett, Sarah Robertson, Dorothy Scott, Gavin D Semken, Timothy Shepherd, Anna Simonite, Kyle Sisson, Paula Street, Anna L Tod, Graeme D Turner, Nadine Wakefield, Ryan D Walsh, Susan Wilkinson, Tracy Williamson, Peter J Willshire, Richard Wilton, Rebecca A

The following students successfully completed the following exams in June 2011: P1 The Internal Audit Environment
Andrew, Stuart Ankach, Kayhan Atkinson, Andrea A Bancroft, James P Banu, Rahela Barker-Arnone, Emma Bennett, Helena Booth, Darren Bowers, Stuart M Clarke, Paula Clarke, Steven Collins, Jonathan Connolly, Angela Coveney, Paul D Cranston, James S Dadhania, Jasmine Del Greco, Gabriella A Dennis, Hannah E Evans, Saida Gilbert, Hollie Gilchrist, Laurie J Girvan, Deborah Handley, Lisa Heather, Alison Heeley, Jessica R Highton, Dawn C Hussain, Zakir Jackson, Christopher Jackson, Craig S James, Derly E Jonas-Nartey, Jocelyn Kaur, Sharonjeet Kendall, George Killen, Melanie Kondratowicz, Teresa Larcher, Timothy A B Leighton, Ruth E Lewis, Catrin Martin, Mairead R Masoeu, Kamohelo McWatters, Caroline Miles, Neil Nicholson, Christian M Pap, Timea Pope, Robert Powell, Gemma K Purvis, Neil Ravindranathan, Ramah

P2 Financial Risks and Controls

Andrew, Stuart Bailey, Helen D Bertie-Snell, Pia L Beveridge, Francesca Booth, Darren Breach, Paul J Brownley, Rebecca L Burnett, Angela Clark, Peter Clarkson, Barry Crane, Lewis J Davidson-Dell, Simon Delorey, Nicola Dempsey, Kim Donaldson, Oliver T Downer, Stephen P Evans, Saida Fanning, Nicholas R Fines, Barry J Franklin, Andrew Fuller, Katie A Gallagher, William P George, Lisa Elizabeth Harrison, Andrew Heaton, Rachel Ann Hirst, Matthew Hutchins, Alice C Jones, Myra L Kendall, George Kirk, Maureen LAbbate, Helen Leggett, Stephanie M Leighton, Ruth E Lesware, Gillian McLellan, Karen McNeill, Gerald Murphy, Elaine New, Hilary L OConnor, Stephen Onasanya, Ayodeji Pinkerton, William Plaskett, Sarah Purvis, Neil Rawal, Sohal Richards, Lianne Richardson, Angela Robinson, David Robinson, James Semken, Timothy Shirley, Lana Sisson, Paula Swainson, Karen A M Taperell, Alice E Taylor, Angela Tolentino, Melanie L Trimarco, Marcus J Turner, Nadine

Lourie, Matthew Maguire, Mary McAteer, Kieran A McKee, Alan Melluish, Helen C Mullan, Deirdre Murray, Debbie M L Nikitas, Ephrem Oldham, Justin OToole, Brendan Scott, Colin A Sharman, Nicola A Shelton, Timothy C Shephard, Kelly Sheridan, Steven Small, Colin P Stirling, Alexis Todd, Norman Varela, Sonia Vaughan, David J White, Pinar Woods, Tracey Woodward, Louise Wright, Daniel

Smedmor, Christopher D Stewart, Gary Stirling, Alexis Warren, Fiona Welsh, Wendy T White, Pinar

M4 Advanced Internal Auditing Case Study

Asher, Bridget L Ashford, Natasha Atkinson, Neil A Barry, Helen Blewitt, Justin D Bowe, Jeffrey Buchanan, Alexandra Chapman, Amy J Chappell, Katharine L Cook, Gillian H Cooper, Darren Delaney, Thomas P Edwards, Stuart R Fitzsimmons, Penny Flavelle, Rebecca Folan, Catherine Foster, Alastair J Furness, Jon A Gallagher, Peter J Graven, Michael N Hamel, Brian A Hastie, Hazel Hellary, Daniel James, Caroline P Jenkins, Richard John, Lea Kennedy, Kelly Kenny, Chris Kerr, Clare L Lye, Patrick N Maddock, James Mason-Bell, Angela McCavigan, Tracey McHugh, Matthew I Mills, Louise P R Mingout, Deborah Moloney, Paula Murray, Fiona H Njolai, Eric Ojo, Ayodele Patel, Krupali Puddicombe, Charles A Rashid, Shahid Scott, Robert J Scutt, Jon Self, Sarah M Sharpin, Linda Stewart, Gary Stringer, Richard Vaughan, David J Woodhouse, Scott A

M3 Risk Assurance and Audit Management P5 Corporate Governance and Risk Management
Ackred, Matt R Adeyemi, Abimbola Ali, Shiraz Amos, Martin J Bailey, Helen D Basford, Philip Batey, Michael H Bennetts, Frances Bolton, Melissa M Brown, Steven E Clarke, Steven Coleman, Susan Cowie, Amanda J Cox, Angela W Craven, Hilary Cuthbert, Sinead Dawson, Carlien Dean, Anthony Del Greco, Gabriella A Elliott Cartwright, Lee Elliott, Nicola L Evans, Julie Fargus, Peter R Fell, James Fittall, Rachel E Fuller, John R Gibson, Gary Gilbert, Hollie Goold, Anita C Haggerty, Robert J Hainsworth, Richard A Hall, Sheldon Hardwick, Victoria Heather, Alison Hughes, Karen Hussain, Zakir Jackson, Christopher Jolliffe, Hayley M Jones, Lucy A Lang, Charlotte J Lawes, Amanda Lawson, Ashleigh Le Roux, Lone K Liveston, Kirsty Lloyd-Roberts, Rhys W Lyons, Mark D Marshall, Imogen Martin, Sebastian J Matkin, Katerine M McCullough, Johanne McNeill, Gerald Mennear, Catherine H L Miles, Neil Molyneux, David G Mulholland, David J New, Hilary L Nicholson, Christian M Oakley, Katharine Osmond, Sarah J Owen, Gillian D Parish, Emma Parnell, Fiona J Peacock, Sean Pope, Robert Pople, James S Rai, Ramesh Raine, Linsey Rawal, Sohal Redward, Tim J Rice, Michael L Saxton, Nigel Shield, Bernadette Smith, Neil J Sodhi, Khushmit S Southgate, Laura Tang, Adrian Thrupp, Michael Timothy, Oliver Tse, Lewis Verma, Pooja Ward, Theresa R Watts, Jenny Whitehead, Mark Windsor, Graham Yardley, Caroline Halliday, Neil Harper, Jennifer Heasley, Roger J Hedley-Smith, Martin Hughes, James A Kelly, Elizabeth A Lacy, Kelly Ann Millar, Dermot P Moore, Paul W H Patel, Jashita S Redmond, Jonathon K Slater, Christine A Snell, Mark J Towse, Mark N Whan, Gavin Whyte, Judith R Woodward, Julie L Sharman, Teresa C Shepherd, Douglas C Sloan, Linda Smedmor, Christopher D Spencer, Jill Stubbs, Bharati Todd, Norman Townsend, Simon H Tye, Graham R Tyrrell, David Walker, Nicola Warren, Fiona Woolley, Rob Wright, Daniel Ashford, Natasha Brant, Andrew Breeze, Benjamin J Brown, Stewart Buchanan, Alexandra Buwu, Selina Chapman, Amy J Chappell, Katharine L Chilcott, Nigel Clapham, Fred Coogan, Stuart D R Cooper, Darren Cox, Richard J Davies, Christopher S Davies, Victoria A Delaney, Thomas P Ellis, Matthew Flavelle, Rebecca Foster, Alastair J Furness, Jon A Harrison, Sharon F Harrold, Lee P Heaphy-Davies, Lindsey Hellary, Daniel Hopewell, Peter James, Caroline P John, Lea Jones, Dewi F G Kaburara, Kimuli Kenny, Chris Kitchin, Julie Maddock, James Magog, Catherine E Maywah, Jayraj McCaffrey, Orla McHugh, Matthew I Melluish, Helen C Miller, Adam Moloney, Paula Njolai, Eric Ojo, Ayodele Oldham, Justin OShaughnessy, Paula Osunsami, Dolapo O Patel, Krupali Povey, Alex Saldanha, Roland F Satheesababu, Sonya Scott, Robert J Self, Sarah M Sharpin, Linda Shephard, Kelly Slayford, Shona

35

M2 Financial Management
Allen, Mark S Anderson, David Atherton, Sharon L Atri, Sunita S Barry, Helen Benmaamar, Sobh Bowe, Jeffrey Brant, Andrew Brown, Stewart Bull, Andrew J Cantwell, Grace Cook, Gillian H Cooper, Alan Fitzsimmons, Penny Furber, Kathryn Georgiou, Koulla Greenbeck, Fiona Hadden, Catherine M Hamilton, Andrew Harris, Andrew Hastie, Hazel Hellary, Daniel Hewitt, Paul Higgs, Helen Jenkins, Richard John, Lea Jones, Philip C Kaburara, Kimuli Kenny, Chris Khan, Addiba Kidd, Jonathan Lamb, David R Lefevre, Irene Lewis, Michael J

M1 Strategic Management
Ashford, Natasha Atri, Sunita S Bull, Andrew J Burrage, Peter Clarkson, George Coogan, Stuart D R Cullis, Dean G Durkin, Katey Ellis, Matthew Flavelle, Rebecca Hall, Mabel M Harrison, Sharon F Havers, James M Hellary, Daniel Heppleston, Russell J Hinde, Katharine John, Lea Kenny, Chris Kidd, Jonathan King, Simon R Kumi, Anthony Lefevre, Irene Lourie, Matthew Lye, Patrick N McTaggart, Lynne M Miller, Adam Moloney, Kevin J Oldham, Justin Ooi, Justin Povey, Alex Scutt, Jon

P7 Internal Audit Practice Case Study

Barry, Marian Blake, Eamonn Clarke, Stephen W T Cleary, Michael Clifford, Barry Davey, Julie-Anne Devine, Gail L Finnerty, Jason Fitzgerald, Anna Fleming, Ian

To find out how you can become qualified with the IIA, call 0207498 0101, visit www.iia.org.uk or email studentsupport@ iia.org.uk Disclaimer: although every effort has been made to ensure the accuracy of the above information, the Chartered Institute of Internal Auditors accepts no responsibility for any errors or omissions.

Announcing... A Perfect 10

TeamMate 10 h the rk smarter wit o W P n style user efficient ribbo interface ur view into P Expand yo ta with robust your audit da dashboards customisable t data deep into audi ll ri D P ic graphic through dynam illustrations and link your risks y il as E r P treamline you controls to s ent and audit risk assessm planning s, upgrades P As alway existing are free to users!

There has never been a better time to find out what more than 85,000 auditors from more than 2,000 organisations across the globe have already discovered. As the worlds leading audit management software, TeamMate empowers audit departments of all sizes to spend less time documenting and reviewing and more time providing value-added services. TeamMate continues to revolutionise the audit industry with the release of its 10th major version. All existing clients will receive TeamMate 10 as part of their on-going maintenance and support, at no additional cost.

Work smarter with new user interface A wealth of information about the status of your audits is presented upon initial entry to TeamMate EWP. Before you even open an audit, you will be able to see the completion progress and individual items of interest specific to you.

Dynamic graphics provide in-depth analysis Graphic illustrations of your data (pie charts, bar charts, etc.) allow you to drill down to details of specific interest. Each click of the mouse takes you deeper into the underlying data. Robust dashboardsthe data you need at your fingertips New user-defined, customisable dashboards offer a robust platform upon which a variety of audit activities can be managed and understood, including tailored KPIs, team performance, audit progress against plan, risk management, and issues tracking.

Risk assessment streamlined State-of-the-art risk assessment worksheets offer an in-depth look at the relationship between entities and related objectives, risks and controls. Risks and controls identified during the assessment process can be tracked through to related audit planning and testing.

More information: Call UK Sales on +44 207 981 0566 | www.CCHTeamMate.com

Looking for more? GO online

Visit www.auditandrisk.org.uk for more internal audit news and a range of resources to help you do your job.

IIA UPDATE
CEO sets tone at annual conference
This years IIA conference attracted a record attendance of 250 delegates as the event returned to the Royal Society of Medicine in the West End of London. Opening the proceedings, Ian Peters, the institutes chief executive, spoke of the need to set the right tone at the top in organisations and stressed that supporting this objective was a key strategic role for internal audit. While regulators and policy-makers, particularly in the banking sector, were becoming less light touch, rules alone cannot fundamentally change behaviour, he said, adding that internal audit needed a higher profile and greater influence among its many stakeholders, both within organisations and more widely. Referring to recent institute research on the role of non-executive directors (Neds), Peters said there was still a long way to go to increase the understanding of risk management in organisations and

Complaints against members

The IIA recently conducted two disciplinary hearings. These are held when a complaint is made that a member has breached the institutes code of ethics. In both of these hearings the complaints were upheld. The first hearing led to the censuring of a member. The second hearing concerned a member who had been dishonest in reporting their exam performance to their employer. They had then attempted to hide this dishonesty by falsifying a document supplied by the IIA. The institute considered that the member had breached the code of ethics in regard to the principle of integrity and, in particular, the requirement to perform work with honesty, diligence and responsibility. The member was expelled from IIA membership. To view the IIAs code of ethics, visit the knowledge centre at www.iia.org.uk

38

Ian Peters: highlighted a key strategic role for the profession.

that internal audit had another important role to play in achieving this. See page 10 for more information on the IIAs Neds research. Visit www.auditandrisk.org.uk to read afull report on the conference

BCU masters degree offers IIA exemption

A new partnership between the institute and Birmingham City University (BCU) is offering dual awards to students who complete BCUs MSc in audit management and consultancy. These individuals will also be considered to have completed the exams for the IIA Diploma and the IIA Advanced Diploma. We are delighted to launch this initiative in collaboration with Birmingham City University, said Francis Nicholson, IIA education director. We have been close partners for many years and the university has consistently delivered a successful tuition programme as an accredited provider. The dual award is the next logical step in this relationship. We are happy to recognise the quality of the MSc and its constituent awards by removing the requirement to sit additional exams with the IIA. For more information, visit bit.ly/p5O8cx oremail studentsupport@iia.org

AGM votes on directors and fees

Over 30 voting members attended the second annual general meeting of the Chartered Institute of Internal Auditors in central London on 5 October. Members heard the councils report and audited accounts for the period ended 31 March 2011 and Melvyn Neate gave the presidents report. Philip Ratcliffe and PaulKaczmar were appointed as directors at large, both nominated by council. Sarah Blackburn, James Paterson and Vic Watson left council. At the council meeting before the AGM they were thanked for their work. Stephen Ireland, Stuart Silcox and Sean OBroin were elected directors. (See pages 24 and 40 for details of new president David Reynolds, deputy president Nicola Rimmer and audit committee chairman Philip Ratcliffe.) Other business included a vote on subscription fees. Increases were agreed based on annual inflation of 4.2 per cent shown in the June consumer price index. Fees were rounded down to the nearest 1 and fees for retired members were frozen. Warrener Stewart was appointed as auditor of the IIA until the next AGM. Profiles of all council members are on www.iia.org.uk under About us and How we work

IIA training courses and events

For further information or to book, click the Training and events tab at www.iia.org.uk, email trainingandevents@iia.org or call 020 7498 0101. IIA regional events and special interest groups should be booked directly with the organiser using the contact details provided.

November
14
Heads of Internal Audit Service Forum: IT security what are the current exposures? Edinburgh

23

IIA North East: risk management risk and the internal auditor Durham

Internet investigations ande-crime London

January
20
Retail Audit Group meeting: topics are likely to include risk-based internal audits, theBribery Act 2010 and teambuilding. Anyone working as aninternal auditor in a retailenvironment is welcome to attend. Newport Pagnell, Bucks
Call Jane Leek on 020 7854 8921 oremail jane.leek@brc.org.uk

Email stephen.ireland@aviva.co.uk

6-7 6-7 6-8

24

15-16 16-17 16-18 17 18 21

How to audit management information London

The essential guide to treasury security and controls London IIA award in the effective delivery of audit and assurance London

Auditing outsourced contracts London

25 25

How to audit procurement London

Risk-based internal auditing an audit management course London

Advanced information systems auditing London

Insurance Internal Audit Group:ERM under Solvency II, lessonsfrom a fraudster and governance audit London
Email Vicky Kubitscheck at contactus@iiag.org.uk or visit www.iiag.org.uk

Internal auditing a beginnerscourse York

February
8
IIA South West: outsourcing Swindon
Email john.thomasson@iia.org.uk

39

7 (tbc) 7

Banking and Financial Services Internal Audit Group seminar London

The Bribery Act 2010 what it meansfor internal audit Bristol

29-30

The balanced scorecard Manchester

IIA award in the internal auditplanning and assuranceframework Cardiff

IIA South West: customer experience risk Congresbury

Email john.thomasson@iia.org.uk

Date tbc

IIA Midlands: commissioning, outsourcing and thirdparty engagement Location TBC

Email ann.brook@barclays.com

30

8-9 14

Assurance mapping the foundations York

Audit report writing London

IIA award in interpersonal skills for audit and assurance London

30-1 December

22

Assurance mapping driving further benefits York

A practical guide to evaluating risks and controls York

December
1
The Bribery Act 2010 what it means for internal audit Worthing

Heads of Internal Audit Service Forum: procurement and outsourcing what are the current issues and how should internal audit respond? London

Post your event

IIA regions and special interest groups may include details of their upcoming events by contacting trainingandevents@iia.org.uk Please state the event title, date, venue and contact details. The deadline for the January/February issue of Audit & Risk is 16 November.

22-23

Date tbc

IIA award in corporate governance and riskmanagement London

IIA Midlands: networking and social event (early evening) Location TBC
Email ann.brook@barclays.com

22-25
London

Introduction to information systems auditing

1-2

Auditing projects and project risk London

Moving up
Have you moved jobs recently?
To feature in the next Audit & Risk, email the editor at alice.hoey@caspianmedia.com To update your contact details, log into the members page at www.iia.org.uk and click on My contact details .

Katharine Chappell, assurance and control auditor at the House of Commons: Find what studying style works best for you and stick with it.

Institute welcomes incoming officers

Three new officers took up their new roles at the IIAs annual general meeting on 5October: David Reynolds FIIA became president and Nicola Rimmer CFIIA deputy president, while Philip Ratcliffe FIIA became audit committee chairman. Ratcliffe is a former IIA president and has sat on the nomination, remuneration, and audit committees, as well as on the presidents group. He is a qualified accountant and has written papers and policy statements on the implementation of the Smith Guidance, including terms of reference for audit committees. As a head of internal audit for nearly 30 years, I have extensive experience of working for audit committees and clear views on what audit committees need to do in order to be effective, Ratcliffe said. The institute needs a strong audit committee to monitor that itsinternal standards of risk management, internal control and internal financial control and accounting are commensuratewith the standards that it wishes to promulgate. See page 24 for the views of David Reynolds and Nicola Rimmer.

40

Four IIA members were rewarded recently for their outstanding performance in the exams.
Lorraine Matkin PIIA, of the Food Standards Agency, has been awarded the Charles Dulyprize, which recognises the IIA Diploma in Internal Audit Practice student whopasses all their exams first time and with the highest aggregate mark. Alastair Foster CMIIA, ofRSM Tenon, has received the Peter Hook prize, the equivalent award for the IIAAdvanced Diploma in Internal Auditing and Management. I took these exams to progress my career and develop a specialism, he said. My advice to others taking these exams is to ensure that you put enough time aside and really study hard following the revision sessions. Runners-up awards in the Peter Hook category were won by Katharine Chappell CMIIA, of the House of Commons, and Martha Kemsley PIIA, of RSM Tenon, who also both passed all their Advanced Diploma papers first time and scored the nexthighest aggregate marks. Speaking about the challenges of taking the exams, Chappell said one of the most difficult things was keeping the momentum going. As the exams approached Ifound it harder to stay focused and to learn and retain information, she admitted. Everyones got their own style of studying you have to find what works best for you and stick with it.

Best in class
Ensure that you put enough time aside and study hard following the revision sessions

Philip Ratcliffe.

internal audit. with us, its not a sideline. its a specialism.

With internal audit comes unique challenges and demands. It requires only the very best, dedicated recruitment service a consultancy with a unique understanding and appreciation of internal audit and its needs. Such a service is offered by Michael Page. Were part of a Business Superbrand with an unparalleled office network and database, providing a network of UK divisions solely dedicated to internal audit. We recruit soughtafter part qualified to qualified and executive appointments on an interim, contract and permanent basis. We cover: Compliance Internal & IT audit Risk management Your specialist internal audit team within the west midlands: Edward Starkey public practice and specialist markets 0121 634 6934 edwardstarkey@michaelpage.com Nick Baxter public sector specialist 0121 634 6920 nickbaxter@michaelpage.com Amanda Alderson interim specialist 0121 634 6920 amandaalderson@michaelpage.com Dan Yates executive appointments 0121 634 6920 danielyates@michaelpage.com

Specialists in Finance Recruitment

156 offices in 32 countries | www.michaelpage.co.uk/finance

its all about understanding the risks

BDO is the award-winning UK member firm of the BDO international network, the worlds fifth largest accountancy organisation, with more than 1,000 offices in over 100 countries. BDO is building a strikingly different business, focused on exceptional client service. Employing exceptional people, the company culture helps them get on with the job, without needless bureaucracy. To continue the firms growth plans and strengthen client relationships, Internal Auditors are required to join our expanding Risk Advisory Services team, based in our Epsom office. Internal Auditors will be required to work closely with senior members within the team. You will work on a wide range of clients; manage assignments of moderate complexity and variety; assess risks and apply internal control concepts, assessing the exposures resulting from ineffective or missing control practices. The ability to identify and define financial, operational and compliance risks and formulate recommendations which are proactive, practical and cost effective is essential. Documenting facts and information to support the work and conclusions is key, including evaluating audit results, weighting the relevancy, accuracy and perspective of conclusions against the evidence. To be considered for this role you must demonstrate previous internal audit experience, including having an up to date knowledge of relevant legislation. Ideally you will be CMIIA or CCAB or have an equivalent qualification or part qualification. You will need to be flexible to travel on a regular basis locally with potential for wider travel. To apply for this role please apply online at: www.bdocareers.co.uk using Job ID 1106

For further opportunities within BDO please visit: www.bdocareers.co.uk

internal audit. with us, its not a sideline. its a specialism.

With internal audit comes unique challenges and demands. It requires only the very best, dedicated recruitment service a consultancy with a unique understanding and appreciation of internal audit and its needs. Such a service is offered by Michael Page. Were part of a Business Superbrand with an unparalleled office network and database. We recruit from part-qualified to head of function on an interim and permanent basis. We cover: Compliance Internal & IT Audit Risk Management Internal Controls internal auditor Surrey 45,000 + Car Allowance + Bonus + Benefits Global multinational business is seeking a Spanish speaking Internal Auditor to assist in risk-based audit reviews, ad hoc projects and developing a stronger internal controls framework. ACA/ACCA qualified (or overseas equivalent) with up to two years of proven audit experience gained in either a top 10 practice firm or from industry. Strong communication skills and willing to travel up to 40% internationally is essential. Interested candidates should contact Oliver Swift quoting reference MPIAM13201092. audit methodologY & QualitY assurance manager London 70,000 + Car Allowance + Bonus + Competitive Benefits Package A UK organisation is seeking an experienced internal auditor with in-depth knowledge of developing and implementing a company-wide audit methodology. Simultaneously, you will be responsible for executing a quality assurance strategy and have proven ability to train staff and drive best practice. Youll also be ACA qualified (or overseas equivalent) from a Big 4 with solid, impressive industry experience. Interested candidates should contact Victoria Kahane-Fellowes quoting reference MPIAM13198420.

Your specialist internal audit team within london and the south east:
Kyra Cordrey director 020 7269 2433 kyracordrey@michaelpage.com Victoria Kahane-Fellowes consultant 020 7269 2281 victoriakfellowes@uk.michaelpage.com Oliver Swift consultant 020 7269 2444 oliverswift@uk.michaelpage.com

Specialists in Finance Recruitment

156 offices in 32 countries | www.michaelpage.co.uk/finance

corporate governance recruitment

London/City Senior Internal Auditor City To70,000+Bens Regions Audit Project Leader Liverpool To40,000+Bens
An opportunity has arisen to join this dynamic and well respected financial services group. Reporting to the Head of Audit and working closely with an audit manager you will form part of a team of three operating at a senior level. The role offers broadly based experience and previous audit experience gained in a financial services environment would be an advantage. You should be either audit or accounting qualified.

IT Audit Senior IT Auditor London To60,000+Bens

A unique opportunity has arisen for an experienced IT audit professional to join the internal audit division of this successful financial services group. Reporting to an IT Audit Manager you will evaluate the effectiveness of IT and payment system controls. To meet the requirements of the role you will need to be QiCA, CISA, CISM or CISSP qualified, have commercial savvy and practical experience of auditing IT infrastructure and applications.

Audit Risk Compliance Security Legal Treasury

London Edinburgh New York Dubai Hong Kong

This international specialist insurance business underwrites risks at Lloyds and is growing rapidly. As a result they are seeking to recruit an additional senior internal auditor to join their small but high profile audit team. You will take responsibility for leading all aspects of assigned audits across the business including planning and report presentation. You will be professionally qualified with insurance industry experience.

Sen. Mngr/Audit Dir. Finance London 110120,000+Bens

This global diversified banking group is seeking a senior level candidate to head up the finance audit team. You will be an experienced audit manager and have technical experience of auditing finance. Your experience should also include knowledge of IFRS, Basel and FSA regulations. This role lies at the heart of internal audit with oversight responsibility for a key risk area. An accountancy or internal audit qualification is essential.

Internal Auditor Bristol Competitive+Bens

Our client is a successful niche player in the UK insurance industry. They are growing steadily and have a strong financial base. They are now seeking an internal auditor to join their risk department and help provide independent reviews and consulting services to improve the groups efficiency and control environment. Your role will include the planning, delivery and reporting of risk based and process related audits.

Senior Manager IT Audit North To75,000+Bens

Working for this specialist financial service provider you will be responsible for developing and delivering the IT audit plan across their UK and European operations. You will work closely with operational management to ensure that risks to the IT environment are managed effectively. You will have the ability to assess existing control frameworks and, where necessary, advise on enhancements. A professional qualification is required.

Audit Supervisor London 6575,000+Bens

Our client is an international corporate and investment banking group with a financial markets centre of excellence based in London. They are seeking an audit supervisor with capital markets and/or corporate banking experience. The audit team is close knit and promotional prospects are performance based. Past career development from this role has included a senior appointment into finance and a business manager/front office move.

Internal Audit Manager Surrey To70,000+Bens

This successful multinational engineering group is seeking an Internal Audit Manager. You will report to and assist the Head of Audit in the management of the department. You will have previous supervisory experience and will manage reviews across the groups operations and business processes. The role involves substantial international travel and provides scope for career development either in the UK or internationally.

Senior IT Auditor London To42,000+Bens

As a result of a number of recent business wins this leading accountancy practice requires an ambitious, capable and fully qualified IT audit professional. Reporting to the senior manager you will deliver infrastructure, applications and general controls reviews and will contribute to the ongoing development of the service line. The practice has a fixed growth strategy and there are genuine prospects to progress your career.

Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW

Subject Matter Expert Audit London 6575,000+Bens

This well known broker has created a new position within its audit team for an expert on Legal, Regulatory and Compliance audit. You must be able to translate FSA requirements into an audit plan, perform fieldwork, present findings and manage internal and external stakeholder relationships. The environment is fast paced and entrepreneurial and you will need to have credibility with both the front office and compliance functions. For further details of positions in London/City contact Alexia Demetriou 020 7936 2601 ad@barclaysimpson.com

Head of Internal Audit North West To70,000+Bens

Our client is bucking the economic trend and growing at an exceptional rate. Voted one of Sunday Times 100 best companies to work for, you will lead the business in its audit strategy, addressing core risks and assurance gaps of a multi-site retailer. You will be a strong communicator and comfortable making recommendations at director level, advising the audit committee on recommendations that are constructive and cost effective. For further details of positions in the Regions contact John Gray 020 7936 2601 jg@barclaysimpson.com

IT Audit Manager Birmingham To60,000+Car+Bens

An experienced IT audit manager with experience of developing and delivering a complex IT audit plan is required by this successful commercial group. Reporting to the Head of Audit you will be responsible for planning and managing the delivery of an annual risk-based plan for technology whilst developing effective working relationships with management across the business. Excellent interpersonal and commercial skills are essential. For further details of positions in IT Audit contact Daniel Flynn 020 7936 2601 df@barclaysimpson.com

020 7936 2601

Barclay Simpson Scotland 910 St Andrew Square Edinburgh EH2 2AF

0131 209 7850

bs@barclaysimpson.com www.barclaysimpson.com

Scotland Group Internal Auditor Glasgow To45,000+Bens

We are seeking a highly motivated group internal auditor to join this internationally renowned service group. You will plan and deliver a wide range of operational and financial audit work in Scotland and overseas. It is anticipated that success in this role will result in a promotion into a line financial or operational management position. You must be professionally qualified and comfortable undertaking 50% international travel.

International Senior Internal Auditor Switzerland Romandy CHF100130,000+Bens

This is an opportunity to join a world class multinational FMCG group. You will be exposed to the challenges the group faces in optimising and streamlining its structure, developing the business and maintaining and developing the control environment. You will be part of a multicultural team assessing risk in all areas of the business and should have relevant experience gained from a recognized multinational group or Big 4.

Nationwide Interim Opportunities

London London South-East Hampshire London London Central London London London London Audit Manager IT Auditor IT Auditor Business Auditor SOX/ Data Quality Senior Auditor Treasury Auditor Basel 3 Specialist Audit Manager Change Auditor Capital Markets Banking Consultancy Asset Management Insurance Asset Management Investment Banking Retail Banking Financial Services Corporate Banking 500 per day 500 per day 200 per day 60,000 pro-rata 600 per day 400 per day 550 per day 550 per day 75,000 pro-rata 500 per day

Internal Audit Manager Dundee c.45,000+Bens

This financial services provider has a Big 4 co-sourcing audit arrangement. They are seeking an Internal Audit Manager to work in their specialised in-house audit team. You will help deliver a programme of assurance work and should be comfortable leading teams and managing controls testing and key stakeholder engagement. You should have well developed interpersonal skills, be IIA qualified and have broadly based internal audit experience.

Head of Audit Qatar To110,000 Tax Free

This recently established brokerage business, a subsidiary of a major bank, is seeking an experienced audit professional. You will design and implement an audit framework, playing a key role in ensuring that the business develops in a controlled environment. You should have a sound understanding of brokerage gained through an audit or consultancy role and the ability to build strong working relationships with senior management.

Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte aw@barclaysimpson.com

www.barclaysimpson.com/interimsolutions

Interim Market Report 2011

A comprehensive analysis of the corporate governance recruitment market including salaries, sectors, demand and predictions for the remainder of 2011. Reports available for:

IT Audit Manager Aberdeen c.75,000+Bens

Our client is a well known international oil and gas group. They are looking to recruit an experienced IT audit manager to plan and deliver a programme of IS assurance work across the business. To be considered for this high profile role you must have demonstrable IT audit experience gained in diverse commercial and technical environments and be QiCA or CISA qualified. A relocation package is available. For further details of positions in Scotland contact Liam Hughes 0131 209 7850 lh@barclaysimpson.com

Senior Audit Consultant Paris 40-60,000+Bens

Our client, one of the Big 4, is seeking senior consultants to join the financial services practice. You should have either traditional internal/external audit experience or experience gained in corporate governance. You should have well developed interpersonal and communication skills and be looking to work in a client facing environment. You will be part of an EMEA team and will work in both French and English. For further details of International positions contact Marie Marchi 020 7936 2601 mm@barclaysimpson.com

Internal & Computer Audit Compliance Risk Management Information Security Legal

Download your free copy at: www.barclaysimpson.com

Visit www.barclaysimpson.com to access a vast range of free online resources

Search hundreds of audit vacancies Find your current market value Information on where best to live and work Focus on Computer Audit Latest information on qualifications
Barclay Simpson has been awarded the Diversity Assured Recruiter accreditation under the RECs Diversity Initiative.

For more details visit: www.barclaysimpson.com/equalopps

corporate governance recruitment

Risk and Assurance Coordinator

Edinburgh 3550,000+Benefits
Cairn Energy is an international FTSE 100 oil and gas exploration company based in Edinburgh.
Risk and Assurance Coordinator is a new role and has been created to coordinate business risk management and assurance processes within the Group. The role involves quantifying the impact of business risks and coordinating the preparation of risk and assurance submissions. You will assist directors and heads of department in maintaining their risk registers and matrices and will manage IT systems in support of risk management. Maintaining awareness of external developments will be key, as will coordinating outsourced internal control assurance processes. A good working knowledge of enterprise risk management and internal assurance processes and practices within a multifunctional commercial business environment is required together with a strong background in business risk management or internal audit. First class communication and influencing skills are prerequisites. The opportunity for career progression is excellent.

For further information or to apply please contact Liam Hughes on 0131 209 7850 or email at: lh@barclaysimpson.com

Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW bs@barclaysimpson.com www.barclaysimpson.com

020 7936 2601

www.barclaysimpson.com