Issue 12 July/August 2013

The magazine of the Chartered Institute of Internal Auditors

Ground control
Kevin Goulding, group head of internal audit at Dublin Airport Authority, on flights, finance, security and duty-free shopping

Fair dues: why its important to keep up to date on discrimination Too close for comfort: how to manage potential conflicts of interest Aint misbehavin: do hotlines for whistleblowers really work?

Are you a professional internal auditor holding either the IIA Diploma (PIIA) or IIA Advanced Diploma (CMIIA)? Are you just starting out in your career in audit?
If so, contact BHBi to find out how the BHBi Triple Qualification could help you increase your professional standing and become more marketable. BHBis Triple Qualification comprises of: CMIIA/PIIA Award Chartered Management Institute (CMI) Level 7 Diploma in Strategic Management & Leadership Chartered Manager (CMgr) status
Chartered Manager is the highest status that can be achieved in the managerial profession. Awarded only by CMI, it is recognised throughout the public and private sectors, across all management disciplines.

If you hold the CMIIA Award or the PIIA Award already, take the fast track route to enhanced CPD and further qualifications and achieve: The CMI Diploma in Strategic Management & Leadership Chartered Manager status If youre just starting out in your career in auditing you can study for your professional qualifications with BHBi and have the Triple Qualification built into your training! This will help you become more marketable, enhance your career prospects and gain access to professional networks whilst also demonstrating a high level of strategic competence and audit and managerial professionalism. For a confidential discussion on how BHBi can help you achieve more from your professional auditing qualification contact: Mark Barnes Tel 07906972147 Email markbarnes@bhbi.co.uk Paul Haley Tel 07973911317 Email paulhaley@bhbi.co.uk

www.bhbi.co.uk/triple-qualification

BHBi has been quality assured and assessed by the CMI to offer the fast track route to enhanced, continued professional development. Offering a wide range of practical professional resources, CMI membership will not only enhance your employability, but help take your professional practice to the next level and beyond.

PREMIER PRACTICE

Contents
28

Issue 12 July/August 2013

The magazine of the Chartered Institute of Internal Auditors

14

Ground control
Kevin Goulding, group head of internal audit at Dublin Airport Authority, on flights, finance, security and duty-free shopping

18

Fair dues: why its important to keep up to date on discrimination Too close for comfort: how to manage potential conflicts of interest Aint misbehavin: do hotlines for whistleblowers really work?

Published for the Chartered Institute of Internal Auditors byCaspian Media Ltd, Unit G4, Harbour Yard, Chelsea Harbour, London SW10 0XD 020 7045 7500 Editors Keith Ryan keith.ryan@caspianmedia.com 020 7045 7543 Ruth Prickett ruth.prickett@caspianmedia.com 020 7045 7572 Chartered Institute of Internal Auditors info@iia.org.uk www.iia.org.uk 020 7498 0101 Subscriptions membership@iia.org.uk 020 7498 0101 Advertising Ian Mehrer ian.mehrer@caspianmedia.com 020 7045 7596 Creative director Nick Dixon Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited. ISSN 2048-8408.

22
Front
3 The IIA view
From the chief executive, Ian Peters.

Features
14 Holiday maker
Kevin Goulding, group head of IA at Dublin Airport Authority, on local traffic and global duty free.

REGULARS
32 Tools for the job
How to improve the way you communicate the value of internal audit.

5 World view
From Richard Chambers, IIA Global president andCEO.

18 On the level
Why organisations must keep up with shifting views of discrimination.

33 Career development
Top tips for creating a new IA function from scratch.

7 View from the top

From Malcolm Zack, head of internal audit at Post Office Limited.

34 You asked us
Experts answer readers technical questions.

8 Update
The latest news affecting the profession.

22 What planet are you on?

What the audit universe means for you.

36 IIA update
Institute news and membership matters.

10 Conference preview
What to look forward to at the IIAs annual conference.

24 Conflict resolution
Conflicts of interest are hard to spot and can prove expensive to resolve.

38 Courses and events

Key training dates.

12 Reportage
The findings of the 2013 Eversheds Board Report.

40 Student noticeboard
Essential information for exam candidates.

28 Good call?
Whistleblowing hotlines are cheap and popular. But do they work?

We post more news and articles online every week. To access these, visit www.auditandrisk.org.uk

The Perfect Pairing

The integration of TeamMate AM and TeamMate CM promotes leveraging and sharing of data and work ows across the Internal Audit and Compliance disciplines.

Increase Efficiency & Boost Productivity of your Audit Process

TeamMate AM is the solution of choice for 90,000 auditors in more than 2,200 organisations world-wide. AM addresses key audit management functions such as risk assessment, scheduling, documentation, issue tracking and time reporting, enabling you to standardise and streamline your entire audit process.

A Breakthrough in Compliance Management

TeamMate CM is focused on the management and testing of SOX, Basel III, Solvency II, IT Governance or any other set of internal controls. CM allows you to view and interact with controls through an innovative user-defined structure based on multiple Dimensions and Perspectives of data that leads to greater efficiencyand deeper insight.

Learn more at TeamMateSolutions.com

View from the IIA

Bank vault a great leap for internal audit

The IIA is delighted to be able to announce the launch of the first code of guidance specifically aimed at enhancing the application of the institutes international standards in the financial sector.
Ian Peters, chief executive of the IIA.
Risk is an integral part of the financial services sector; its what makes money and loses it. One common question during the financial crash of 2008 and the various problems that the sector has had with misselling, money-laundering and fraud has been what were their internal auditors doing? . Often, as Barclays head of internal audit Michael Roemer told us in the March/ April issue of Audit &Risk, the answer to this is quite a lot, actually . However, internal audit is only as strong as the amount of credence it is given by the board. If you muzzle your guard dog then you cant blame it for failing to bark at the burglars. This is why the IIA is delighted to be able to announce the launch of the first code of guidance specifically aimed at enhancing the application of the institutes international standards in the financial services sector.This is a milestone for the sector. The guidance is based on the recommendations of an independent committee set up by the institute.The IIA has welcomed the recommendations and has published them in full, commending them to the sector. It is being published at a crucial time in the history of financial services, as the sector is still working out the full implications of the report of the Parliamentary Commission on Banking Standards, which has suggested that senior bankers who are guilty of reckless misconduct should be sent to prison.The Treasury welcomed this report and has promised to consider amendments to the banking bill to back it up with legislation. Of course, the guidance alone, however helpful for internal auditors in the sector, cannot solve some of the key problems highlighted by the commission, namely that expectations of internal audit in the sector have been too low and that internal audit has not been able to play an influential enough role in supporting executives and non-executives in their responsibilities for managing risks and controlling the business. This is why the real significance of the new guidance is that its primary target audience is not internal audit practitioners, but boards, audit committees and senior executives. Its recommendations should gain even greater force if senior executives realise that a strong internal audit function, with real access to core risk data and a voice that is heard loud and clear on the board, could help them to stay out of gaol if things go wrong. The guidance should also help internal auditors to put their points across more consistently and forcefully. It is intended to give greater relevance to the IIAs international standards by ensuring that best practice internal audit is expected by boards and audit committees and delivered by practitioners, consistently across the whole sector.The recommendations seek to enhance internal audits role and influence by clarifying reporting lines to the chair of the audit committee, demanding a broad scope and coverage for internal audit so that the function decides for itself what are the major areas of risk and establishing that no area of risk is beyond its focus. Last, but by no means least, the success of this groundbreaking new guidance could enable the institute to produce similar advice for other sectors in future.This is a new departure for us in an area that clearly needs improved support from our profession and touches all our lives, but tailored guidance to enhance understanding of the international standards could help internal auditors in a wide range of organisations. If financial services institutions agree to set their guard dogs free, then the hounds can start to protect us all more effectively. The full guidance can be found at www.iia. org.uk/policy/financial-services-initiative/

The guidance should help internal auditors to put their points across more consistently and forcefully

HAVE YOUR SAY

Post your comments about this article or any of the issues raised at www.auditandrisk.org.uk

Complete Audit Solution 100 users 500 per month

Plan Perform Assign Report

To find out more or to arrange a free trial visit:

Prepare the Audit, The Team, Location, Scope, Objectives, when , questions, notify users and add it to planners. Assign questions to team members. Who can work offline to carry out the audit. Including attachment of supporting documents,scans or images. Create remedial actions for issues that need to be resolved, give ownership and assign with an action by date and track to completion. Produce an Audit report with the click of the mouse, including current state of actions, performance and statistics, everything for the audit committee

Prepare to be very, very impressed A 5 star product for a 1 star price

Symbiant Management Suite - The total Audit solution Management Suite is a unique web based modular solution that allows the whole workforce to collaborate on Audit, Risk and Compliance issues.

14
D WINNING SOFTWARE OF AWAR

www.symbiant.net/audit

Trusted by names you know from charities to banks, government to PLC.

View from IIA Global

Keep current guidance in a changing world

Ive been reflecting on how the world has changed since the original COSO framework was published, how important that guidance became, and how resilient it has proven.
Richard Chambers, president and CEO of IIA Global.
Responding to monumental changes in the way organisations conduct business, the Committee of Sponsoring Organizations of theTreadway Commission (COSO) has updated its Internal Control Integrated Framework for the first time in more than two decades. As a member of the COSO board of directors, Ive been reflecting on how much the world has changed since the original framework was published, how important that guidance became, and how resilient it has proven.The 1992 document remains the most widely used internal control framework in many countries. It is used throughout the world by leading international companies. Its even referenced by the US Securities and Exchange Commission as a viable framework to evaluate and report on the design and effectiveness of internal controls over financial reporting. When the original COSO framework was published, the internet was in its infancy. Facebook and Twitter were still a decade away as well as a slew of corporate scandals that gave rise to the development of corporate governance legislation around the world. Internal auditing, outside the profession, was largely perceived as an accounting discipline. Today, internal auditing cuts a much broader swath, drawing practitioners from a wider range of backgrounds, including engineering, communications and technology, to evaluate and improve the effectiveness of risk management, control and governance processes. In the nearly 20 years since the inception of the original framework, business and operating environments have changed dramatically, becoming increasingly complex, technologically driven and global in scope. At the same time, stakeholders are more engaged, seeking greater transparency and accountability for the integrity of the systems of internal control that support the businesss decisions and governance. It is testament to the principlebased vision of the authors of the original framework that, despite these changes, the 2013 update, written by PricewaterhouseCoopers on behalf of the COSO board, does not refute the original framework. Instead it formalises the principles embedded in it and expands the discussion in the light of the different environment in which organisations are operating, taking into account issues such COSO made a major step with this framework by expanding its applicability to operations and reporting objectives.This is especially important to internal auditors who are responsible for ensuring the effectiveness of governance and a variety of internal controls in areas beyond finance. It recognises that a system of internal control is all-encompassing. One of the most noticeable differences is that the 17 principles within the five components of internal control are now spelled out.These principles clarify the requirements of effective internal control to facilitate designing and implementing a system of internal control and assessing its effectiveness.The framework also includes points of focus that highlight important characteristics relating to these principles. COSO has also developed Illustrative tools for assessing effectiveness of a system of internal control offering templates and scenarios to help people apply the framework, and Internal control over external financial reporting: a compendium of approaches and examples offering practical approaches and examples to show how the frameworks components and principles can be applied when preparing external financial statements.

When the original COSO framework was published, the internet was in its infancy.
as globalisation and increased expectations for governance oversight. The 2013 framework addresses risks associated with technological advances, incorporates some of the lessons learned over the past decade about fraud, and emphasises that control is about more than just internal control over financial reporting.

For further information

Richard Chambers writes a blog at www.theiia.org/blogs/chambers and tweets at www.twitter.com/IIACEO

Comprehensive Audit & Risk Management Software

Pentana Vision

Global audit management software

Modern screen design that operates globally over a range of network speeds without the restrictions of a browser interface Flexible audit planning by entity structure & process Home screen identification of items for your action and review In-built audit methodology and audit report templates Simple deployment and automatic software updates Audit work can be focussed on risks identified from integrated risk registers

www.pentana.com/vision Enquiries: info@pentana.com Call: +44 (0)1707 373335

View from the top

Diversity Strength in variety

Each persons perspective is one window on a problem and having several perspectives means you can open those windows to produce effective solutions.
Malcolm Zack, head of internal audit at Post Office Limited.

Internal audit had its roots in accountancy and finance, so its not surprising that many people in the profession are financially qualified. But what has changed over the quarter century that Ive been working in the risk, audit and governance arena is the ever broadening remit of internal audit.The IIA in the UK and globally has consistently built, developed and upgraded internal auditing as a profession and a brand to be proud of. As a head of function I have to be able to provide a view of risk and control across the business, so I cannot rely purely on the traditional source of internal auditors. In the three major organisations where I have headed the audit function, I have sought people with more diverse backgrounds, experiences, organisations and qualifications.Yes, one does need financial expertise at the core, but I could not meet my remit to the board without bringing in staff from other disciplines as well.This includes encouraging internal transfers from the business and, significantly, seeking IIA or CIA qualified staff. Combining these skills can build a more rounded service. One of the best project auditors I have had so far in my teams was previously an experienced project manager, not an auditor.Their management skills were highly advanced and their experience juggling many demands as a project manager was an excellent grounding for running several audit projects simultaneously. When I was establishing a new team to focus on distribution and operations, I hired an experienced qualified internal auditor from outside the organisation, but also brought in a member

of staff from the business who was steeped in operations. While they knew little of internal audit, their controls and process background dovetailed well with the external hire so we could map business knowledge with risk and control expertise. Adding others with different sector experiences enabled the team to help the business move its control dial significantly. Most of the teams I have worked with have been relatively small, but I have

Having a French man help a Peruvian on an audit in Sweden, and doing it all in English, is a bit of an eye-opener
been privileged to work with people from other countries who can bring different perspectives to these teams. Each persons perspective is one window on a problem and having several perspectives means you can open those windows to produce effective solutions. Having a French man help a Peruvian on an audit in Sweden, and doing it all in English, is a bit of an eye-opener. I joined the Post Office in October 2012 to set up its internal audit department following

its demerger from Royal Mail in April 2012. Post Office is undergoing an exciting and challenging transformational change across more than 11,700 branches the largest retail network in the UK. Its a diverse organisation covering financial services, telephony, insurance, mails, foreign exchange, mail services and government services, so the risks are diverse too. Post Office is also keen to support diversity with the aim of bringing in a range of thoughts and encouraging people from a wide variety of backgrounds with different experiences to build change. As the Post Office internal audit team develops, it will reflect those values.To meet the increasing expectations of the board, the internal audit team needs to be diverse in its thinking and capability. I will always need financial expertise in my audit teams, but it is essential to seek complementary strengths from elsewhere. A team that plays to its strengths will achieve much.

About the author

Malcolm Zack FCA MBA BCom is head of internal audit at Post Office Limited. He was previously group audit director at the Brakes Group, vice-president head of operational review at Visa Europe, and held audit, risk and consulting roles at Sainsburys Kingfisher and the Burton Group (now Arcadia). He is a chartered accountant and a member of the IIAs Audit Committee. The views expressed here are his own.

Additional news, features and views are posted online all the time. Go to www.auditandrisk.org.uk to see whats new.

UPDATE
c-suite executives shift views on Risk
Regulatory changes have caused 70 per cent of c-suite executives to make substantial or moderate changes to risk management and reporting processes in the past two years, according to a report by KPMG.

We round up the latest business and regulatory news to affect the internal audit profession.

FRC revises standard on audit reports

The Financial Reporting Council (FRC) has made significant changes to the UKs external auditing regime through a revised standard. The corporate reporting watchdog has issued a revised auditing standard (ISA 700) to enhance transparency in the auditors report by increasing communication with investors. External auditors reporting on companies that apply the UK Corporate Governance Code will be required to explain more about their work. The FRC is also requiring boards to describe the work of the audit committee in annual reports and for the auditor to report if the boards disclosures do not address matters it has communicated to the audit committee. Auditors will also have to inform the committee about significant audit judgments.The changes will affect audits of financial statements for reporting periods on or after 1 October 2012. The full survey report can be downloaded at http://bit.ly/13CLVZJ

To see the report, visit http://bit.ly/ WN4GG5

Whitehall has 89 problem projects

There are 89 major Whitehall projects facing significant obstacles to implementation, according to a Cabinet Office review.The Major Projects Authoritys (MPA) review of the governments 170 largest projects together worth more than 350bn used a traffic-light warning system to rank the schemes. Fifty-eight were rated amber , meaning successful delivery is feasible , but significant issues exist requiring management attention .The abolition of the Audit Commission is in this group. A further 23 projects, including the Universal Credit single-benefit programme and the Department forTransports High Speed 2 rail programme to build a new line linking London to Birmingham, Manchester and Leeds, were rated amber-red , meaning successful delivery is in doubt. Eight schemes were red , where successful delivery appears unachievable .These included the rail franchising programme for the West Coast mainline, and a planned upgrade to the online application system for passports. Cabinet Office minister Francis Maude said that reviews of major projects had helped to save taxpayers more than 1.7bn since the MPA was formed in 2011. The report can be found at: http://bit.ly/1b0l2Bj

ILO: Lack of jobs will cause lost decade

Soaring stock markets and higher profits have pushed up executive pay and left companies with cash, but they have failed to create jobs, according to the International Labour Organisation (ILO). The United Nations (UN) agencys annual World of Work report warns that the worlds advanced economies will suffer a lost decade of jobs growth, and that the risk of social unrest is rising as inequality worsens.This will be a major global challenge for the years to come . The report predicts that employment rates in advanced economies will not reach pre-crisis levels until after 2017, more than ten years after the global financial crash began. A separate report by Eurostat, the statistics office of the EU, has found that unemployment in the Eurozone rose to 12.2 per cent in April. At 24.4 per cent, youth unemployment was double the wider jobless rate and up from 24.3 per cent in March. In Greece almost two-thirds of those under 25 are unemployed. In the UK the figure is 20.2 per cent. Read the ILOs World of Work report at http://bit.ly/LIMqYg. Eurostats figures are at http://bit.ly/10MAtIX

Cloud governance: 5 questions for boards

UN warns companies to engage more with disaster risk

The United Nations

NHS will not achieve 20bn savings, say FDs

Most NHS finance directors think the health service will fail to meet its target of 20bn efficiency savings by 2015, according to a Kings Fund survey. Of the 51 finance directors polled by the health think-tank, almost all (96 per cent) estimated that the risk of the NHS failing to meet its 20bn efficiency target was 50:50 or worse . In terms of patient care, 40 per cent of finance directors believe the quality in their area has deteriorated over the previous year, and more than two-thirds (69 per cent) said that the governments reforms had had a negative impact on performance. According to the Kings Fund, this pessimistic outlook reflects the degree of financial pressure the NHS is currently facing. Savings so far have come largely from staff pay freezes and cuts in management costs. The survey was published alongside the Kings Funds latest quarterly monitoring report on the NHS.This showed that the number of people who have waited more than four hours in hospital accident and emergency departments has hit a nine-year high. Read the full report at http://bit.ly/15x8BeX

has warned that IT security standards setter ISACA has issued economic losses new guidance outlining key questions for boards from disasters have spun out of control. of directors to ask to ensure their enterprises is calling on the cloud initiative is in line with business objectives It worlds business and the organisations risk tolerance. community to incorporate disaster According to the white paper, boards should risk management ask whether management teams have a plan for into their investment strategies to avoid cloud computing and if they have weighed the further losses. value and opportunity costs. They should ask To read the how cloud plans support the enterprises latest Global Assessment mission; whether executive teams have Report (GAR13) properly evaluated organisational readiness by the UN Office for Disaster Risk so that cloud processes work alongside those Reduction already in place; and whether management (UNISDR), go teams have considered existing investments to http://bit. ly/13DxZ1A that might be lost in their cloud planning. Lastly, boards need to ask whether the Natural organisation has strategies for measuring and catastrophe tracking the value of cloud return versus risk. risk report Full details: www.isaca.org/cloud-governance Zurich Insurance Groups Natural catastrophes: business risks and preparedness survey has found that companies recognise the potential risks posed by natural catastrophes, yet still have insufficient mitigation plans.

HSBC hires ex-MI5 boss

HSBC has hired former MI5 chief Sir Jonathan Evans to help Britains biggest bank clean up its act after US authorities fined it nearly US$2bn for acting as a conduit for Mexican drug money and breaking sanctions. Evans will join as a non-executive director and will sit on HSBCs financial system vulnerabilities committee. Other banks have made high-profile hires to improve their regulatory compliance records. Barclays made Hector Sants, former CEO of the Financial Services Authority, its head of compliance and government relations, while Royal Bank of Scotland made Jon Pain, another former FSA director, its compliance chief.

For more information, go to http://bit. ly/11Eb7M8

Conference preview

Harness the power

Businesses and stakeholders are demanding more of internal audit, so the IIAs 2013 conference focuses on its power to make a difference in challenging times.
Expect More Harnessing The Power is the theme of the 2013 IIA conference, which takes place on 11-12 September at One Wimpole Street in London. Internal audit is facing increasing demands as organisations struggle with economic challlenges, so speakers will focus on how it can make a real difference to business success. This years conference features over 30 sessions led by experts from well-known organisations. In addition to the main talks, delegates can choose from a range of practical sessions, where they can get advice, find out about tried-and-tested approaches and make contacts.The free exhibition will also provide opportunities to find out more, while networking over tea and coffee. Day one The first day focuses on risk management. Speakers will look at the ways in which internal audit departments need to transform themselves into key players by identifying problems before they happen and providing insights into the effective management of risk so they add value to the organisation as strategic advisers. Roger Marshall, director of the Financial Reporting Council, will give the keynote session on expecting more from internal audit and how new guidance on IA in financial services can be harnessed in other sectors. He will be followed by David Law, group risk and compliance director atTunstall Healthcare Group, who will offer a strategic overview on the key risk-management challenges currently facing boards. Armand Lumens, chief internal auditor at Royal Dutch Shell, will then take the stage to share tips for delivering the successes of internal audit to the executive board. He will examine how to ensure that decision-makers in your organisation focus on the right risks, how to engage effectively with management teams and ways to ensure that the decisionmakers receive the information they need. After lunch delegates will separate into a variety of practical sessions focusing on different aspects of how to scan the horizon to identify emerging risks for their business. Day two Sessions on the second day will focus on broadening the role of internal audit to ensure it is relevant and seen to add value to the business.The morning sessions offer a strategic overview with leading HIAs giving their views on contributing to business strategy and business change. Sally Clark, chief of administration in Barclays Internal Audit, will examine how to give expertise and business insight into strategic initiatives and the ways this enables internal audit to contribute to strategy. Mark Fensome, director of group audit services atTuiTravel, will follow this with a session on how internal audit can deliver value during business change and suggest ways to develop the internal audit strategy to look at change.The rest of the morning will be spent in practical sessions that allow participants to explore a variety of topics from the changing role of internal audit and effective interaction with other assurance providers to the internal audit skills that will be needed in the future. The final afternoon will focus on the soft skills required by all internal auditors. One of the key issues is communication, essential both at strategic level and when dealing with management at operational levels. Session leaders will examine the role of internal audit as a key area for growing potential talent. The conference will end on a positive note, emphasising the strength we gain from the unity of the internal audit profession. The final session will discuss how to work across cultures, how to work together as professionals and how internal auditors can come together for the 2014 International Conference in London. For more information Visit www.iia.org.uk/conference to see the programme and book a place, or contact trainingandevents@iia.org.uk. Book before 31 July for a discounted price of 635 plus VAT (members) or 835 plus VAT (non-members). If you would like to exhibit at, or sponsor, the conference, contact paul.roberts@iia.org.uk.

10

IIA Annual Conference 2013

11-12 September 2013

Expect more harnessing the power

Internal audit has never been more challenging. Continuing economic uncertainty and emerging risks mean that internal auditors are working harder than ever. By taking the initiative, internal auditors can enhance their role and become even more relevant to the business. Our conference will provide the strategic and practical sessions you need to broaden the role and success of internal audit. Sessions for this year include: s Expecting more from internal audit new guidance for boards s Risk management the key challenges facing boards s Delivering internal audit success to your executive s Horizon scanning how to anticipate and identify emerging risks s Giving expertise and business insight into strategic initiatives s Internal audit and business change delivering value

EARLY BIRDS SAVE!

BOOK BY 31 JULY

Find out more at www.iia.org.uk/conference

REPORTAGE
Risk strategy is now higher on the board agenda and a boards key challenge is how to balance growth and risk, according to the 2013 Eversheds Board Report. The report also highlighted that diversity has risen up the board agenda, of directors saying that diversity on the board is key to good board performance.

61%

12

There is more evidence of positive dialogue between shareholders and boards. The average AGM approval rating for executive remuneration , except in the US packages was over where it was

90% 80.5%.

Boards have got smaller

the average number of directors on the board over the past five years.

8% decrease in

In 2007 the average board size was directors In 2012 it was

13.4
12.3
directors.

of board directors believe that an effective board should have fewer than 12 members.

93%

72%
Directors are staying in their roles for longer. The global average tenure of directors is 6.7years on the board an increase of 13% in five years. There is a positive relationship between longer tenure and share price over three- and five-year periods.

of directors said that their boards approach to risk had changed in the past two years and it is now higher on the board agenda.

Top challenges facing the board were:

Growth strategy

Economic climate

Risk Regulations strategy

60 is the average age

of directors. 58 is the average age of chairmen and CEOs of the top 50 companies.

Directors views on the type of diversity that has the most effect on board performance:

10% cited
gender

49% cited experience

and sector diversity

The number of executives on boards decreased in all regions.

The trend is to have fewer executive directors on the board.  In 2007 there were 3.2 executives to 10.2 NEDs.  In 2012 there were 2.1 executives to 10.2 NEDs.  The top 50
companies had 2.4 executives to 8.2 NEDs 22.3%.
13

16%

cited age and generation

34%
the overall average decrease. The largest decrease was in Europe (60%) and the smallest decrease was in Australia (8%).

thought that chairmen could enhance the way in which boards engage with different stakeholders.

51%

50%

25% cited international

experience and background

increase in the percentage of female directors on boards across all regions. However, this is from a low base. The largest increases were in Europe (156%) and in Hong Kong (133%).

The research involved 542 of the worlds leading companies, including the top 100 companies in the UK, Europe and the US, over 120 Asia-Pacific companies, 50 Middle Eastern companies and 30 companies from Brazil. To request a copy of Eversheds Board Report: The Effective Board visit: http://bit.ly/YZtn6n.

14

Holiday maker As the holiday season approaches, most people start thinking about a couple of weeks in the sun. But, as Kevin Goulding, group head of internal audit at Dublin Airport Authority, explains,the season brings more complicated challenges for those running airports.
Words: Neil Hodge Photographs: Mark Nixon

The airline industry has been one of the hardest hit since the global economic crisis gained momentum. While passenger numbers are moving back up to pre-2008 levels globally, profit margins have narrowed for most, and the environment is set to remain challenging for some time, according to the International Air Transport Association, the major industry body. Yet there are always some that buck the trend and succeed where others struggle. Dublin Airport Authority (DAA), which is state owned, but operates on a stand-alone commercial basis, runs Dublin and Cork airports and delivered a solid performance last year.Turnover increased by three per cent to 575m, while profits (excluding exceptional items) grew by 66 per cent to 43m. Group operating costs fell, while passenger numbers rose 8.8 million passengers used the recently openedTerminal 2, which is driving the airports long-haul growth. So far this year, the positive upturn looks set to continue and there are signs that even more people will be jetting to and from the Irish capital over the summer (see box on page 16).

Kevin Goulding, DAAs group head of internal audit, is confident that the airports can cope with the projected surge in demand, and that the necessary controls are in place to ensure that passengers have a smooth journey and that internal audit is not run ragged. Increased capacity and larger passenger numbers are always a risk issue, but the opening ofTerminal 2 a couple of years ago reduced those capacity risks, he says.

Kevin Goulding: in numbers

1998 to 2004 senior internal auditor at Jefferson Smurfit Group plc (including secondments to the SAP implementation). 2004 to 2011 head of internal audit and risk management at Kingspan Group plc. Jan 2012 to present head of internal audit at DAA. He is a qualified accountant with the Chartered Association of Certified Accountants and part of the IIAs heads of internal audit service

Care of duty
But Gouldings internal audit team is working in a business that is far more complex than that of many airports. DAA has three strands to its operations.The most important and resource-intensive of these is running Dublin and Cork airports. In the past few years it has also developed a consulting arm that provides advice to airports that are, for example, planning to develop new terminals, facilities and business opportunities.Third, over the past 50 years, it has developed an enviable sideline in duty-free/duty-paid shopping with its retail business Aer Rianta International (ARI), one of the worlds largest airport

Increased capacity and larger passenger numbers are always a risk issue, but the opening of Terminal 2 reduced capacity risks.

15

Bidding for duty-free contracts is big business for DAA and the organisation keeps an ear to the ground for new opportunities
duty-free and duty-paid retailing companies with an interest in 24 airports in 14 countries. During 2012 ARI generated profits of just over27m. It saw strong sales growth in the Middle East and in India, where annual sales at its Delhi Duty Free passed US$100m for the first time. ARI also opened its first Chinese stores in 2012 and has recently been selected as the preferred bidder for the dutyfree business at Mumbais newTerminal 2, which means that ARI will be operating the key duty free outlets at Indias two main international gateways.This will give DAA a very strong position in one of the worlds most important growth markets. As a result, Goulding says that internal audits work is increasingly involved with the way that the business is expanding internationally. Bidding for duty-free contracts is big business for DAA and the organisation keeps an ear to the ground to find out when a new opportunity might become available. Our work involves providing assurance on financial statements. In order to win these contracts, the organisation has to give guarantees and provide sound financial forecasts on the amount of revenue and customers it can bring in. We need to check the information behind those figures, he says. His team will audit the activities of each ARI subsidiary every two to three years. This process is complex for a number of reasons. First, it is a question of resources. We have a small team so we need to ensure that resources are deployed in the most effective way possible.The other issue is that many of the ARI operations are joint ventures, and we may need to agree a right to audit with the other party. Added to that, joint venture partners may have their own internal audit teams and external auditors, so sometimes we can leverage off their work, he explains.

Fully automatic
Another area of financial risk for internal audit relates to loss of revenue or revenue leakage . The financial controls we have in place are robust and the business model we use has been established for a long time, so we are aware of the risk profile, says Goulding. However, some of our invoicing involves a degree of manual input and that is a concern.The business is trying to automate more of these processes, and internal audit is monitoring progress, he says. IT risk is already at the heart of his teams work. Our business is very IT-driven, he says. There are around 180 different types of IT system across the organisation; everything from the usual desktops to check-in terminals, CCTV, security scanners and arrival and departure monitors. We have identified about 25 of these as critical. We have to make sure that these systems will work and that there is a back-up process we can switch to very quickly if anything goes wrong. Business continuity is a major focus for us. To ensure that the risk of IT disruption remains low, internal audit has a policy of communicating the importance of patch management throughout the organisation.

It is hugely important that everyone is using the latest and safest versions of software on their systems, so the IT department sends out communications notices to remind people to install the latest patches made available by software providers to get rid of any vulnerabilities, he explains.

Developing high flyers

Goulding believes that it is important for internal auditors to move into other departments in the organisation after two or three years. He also likes to mix and match his staff so that members of his team get to experience all aspects of internal audit work. I dont want people to be stuck looking at one area of work all the time, such as regulatory compliance. I want my team to be flexible and to experience the whole range of work that internal audit does so that they get variety, enhance their skills and can benefit the wider business if they move into another department in the organisation, he says. Gouldings first dedicated internal audit role after qualifying was at paper and packaging company Jefferson Smurfit Group (now Smurfit Kappa), where he was mentored by a head of internal audit who constantly stove to make the function best

16

Black box: the business figures

Dublin Airport Authority (DAA) runs Dublin and Cork airports (Shannon Airport was ceded in December). In 2012 turnover increased by three per cent to 575m, while profits (excluding exceptional items) grew by 66 per cent to 43m. Group operating costs were slashed, running at eight per cent below 2008 levels when Dublin Airport was operating with only one terminal.Passenger numbers at Dublin and Cork airports were up by 1.6 per cent equating to 340,000 extra passengers while the number of long-haul passengers travelling through Dublin Airport grew by 16 per cent, owing to new capacity on routes to the Middle East and to North America. About 10.3 million passengers used Terminal 1 at Dublin Airport in 2012, while 8.8 million passengers used the recently opened Terminal 2, which is driving the airports long-haul growth. In the first three months of 2013 passenger numbers at Dublin were up four per cent and eight new services have started flying since the start of the year. The airport has secured new transatlantic capacity so that 224 flights a week will operate during the peak holiday season.

in class . That experience shaped the way that I think about internal audit a lot. My then boss always looked at what value internal audit could add to the business and he put a strong emphasis on having different skill-sets, and I share exactly the same view, he says. He took up the role of group head of internal audit at Dublin Airport Authority (DAA) in January 2012. Before this he spent over seven years at Kingspan Group, which provides environmental, construction and renewable energy products. He enjoyed this job, which included setting up the internal audit and risk-management functions, but a seven-week spell in hospital after a routine appendix operation went wrong and nearly killed him put the constant travelling into perspective. Around 96 per cent of Kingspans business was outside Ireland, so my work involved a lot of air travel. I felt like George Clooneys character in the film Up in the Air I always seemed to have a bag packed and I was constantly living out of a suitcase, collecting air miles and hotel booking points. My near-death experience put my lifestyle into perspective, and I thought Id look for a new challenge that kept me close to home, he says. One of Gouldings first tasks when he took charge of the internal audit function at DAA

was to make personnel changes within the existing staff. Over the previous three to five years some of the more experienced internal auditors had left the organisation to take up opportunities outside DAA.They had been replaced by personnel from other parts of the business with less traditional auditing experience, but with a great knowledge of the operation, he says. While their technical knowledge of the business was a huge asset, some of the team did not have all the requisite formal audit training and qualifications. Some of them had also been moved into the audit function temporarily and had stayed in the team longer than originally planned, so it was time to find new roles for them in the business. My approach is that the internal auditing department should be a springboard for new talent whereby recently trained and qualified auditors are brought into the organisation, and then move out into the business after about two years in audit, he explains. The redeployment took longer than expected, but Goulding says that he now has a team of five, including four qualified internal auditors. He is currently looking for an IT audit manager plus another internal auditor to focus on the international side of the business.This will make the team about the right size for the organisation and quantity of work that we are doing , he says.

His longer term plans could also involve internal audit working more closely with external teams. While he does not have a co-sourcing arrangement in place with any third-party provider at present, he concedes that he may look more closely at this option as the international side of the business grows.This could be particularly useful where the team needs local language skills, he points out. He also wants to build up the relationship internal audit has with external audit for their shared mutual benefit . In my last role at Kingspan we carried out a number of joint audit assignments across the US business with the external auditor so that skills and experience were pooled and costs were reduced. In effect, for certain locations I ensured that the requirements of the external audit programme were fully covered by the internal audit programme and that work papers were robust enough to be relied on by external audit, he says. It is more difficult to create that relationship here because external audit is statutory, there are issues surrounding independence and safeguards would need to be established. However, there can be real benefits from sharing certain work to minimise duplication of effort and to ensure there is sufficient leverage off internal audit work, he adds.

17

Despite the changes so far, UK laws may not yet have caught

18

What is discrimination? It depends on what the law says and on what your staff and customers think it is. New legislation can lead the way by prompting organisations to change the way they act and imposing penalties on those seen to be discriminatory, but it is not the whole story. Diversity and discrimination are two sides to the same coin and the opportunities as well as the risks continue to evolve.
Words: Alice Hoey Illustration Paul Blow

On the level

up with societys desire for equal opportunities

When the new Mental Health Discrimination Act came into force in April 2013, it changed relatively little most significantly for businesses, it revoked a previous provision that prevented people from serving as company directors on account of their mental health problems but it was symbolic. It addressed the last significant type of discrimination in our society today, mental health. The UK has had laws to protect individuals from discrimination on the basis of gender and race since the 1970s, with protection expanded in the 1990s to include disability. Since the turn of the century, religion or belief, sexual orientation and age have also been added to the legislation. The most significant legislative change, however, was the introduction of the Equality Act 2010, which brought all the discrimination laws under one statute and gave them equal weighting. It also expanded existing protection to include marriage and civil partnership, pregnancy and maternity, and gender reassignment.

Developing diversity
Despite the changes so far, UK laws may not yet have caught up with societys desire for equal opportunities. There is, for example, some recognition by the public that discrimination based on factors such as social class exists, says Dan Robertson, diversity and inclusion director at the Employers Network for Equality and Inclusion, but the legislation on this issue is absent . The debates over diversity are far from over and can evolve

The UK has had laws to protect individuals from discrimination on the basis of gender and race since the1970s

quickly. Londons prestigious Imperial College recently withdrew its offer of a short internship in its science labs from a fund-raising auction at Westminster School after there was an outcry on scientific blogs and among its own students, who protested that internships should be available only on merit, not for A-level students with the richest parents. Similar concerns have been raised more broadly about unpaid work placements in large organisations, which are seen to give an advantage to people whose parents are willing and able to support them while they work. Meanwhile politicians, church leaders and pressure groups across Europe have been hotly debating the issue of whether gay couples should be allowed to marry the first French same-sex couple married in May, while the UK and German governments are struggling to find solutions that are acceptable to groups with strongly held opposing views. Other nations also influence the development of UK legislation, says Karen Jackson, a partner at DID Law, which specialises in disability discrimination and workplace health issues. Some Scandinavian countries have taken the lead on the issue of gender equality in the boardroom. In Denmark, for example, they now have quotas as part of their effort to even out the gender balance at the top levels of large companies, she says.The US tends to be at the extreme end of the curve. For example, it has legislation protecting against genetic discrimination, where an

19

The ability of digital channels such as Facebook and Twitter to enable people to express discriminatory opinions or tell ill-timed, insensitive jokes is also affecting employers, who can be caught in the fall-out when staff hit the headlines

20

employee is tested for a predisposition to genetic disease. This issue may become more important in other countries if such tests become more widely available. The ability of digital channels such as Facebook and Twitter to enable people to express discriminatory opinions or tell ill-timed, insensitive jokes is also affecting employers, who can be caught in the fall-out when staff hit the headlines.The recent appointment of Paris Brown, a 17-year-old hired as Kents first youth police and crime commissioner, fell apart when her silly, inflammatory tweets came to light. After several days of media attention and considerable embarrassment for the Kent police and crime commissioner who had hired her, Brown stepped down.The tweets were not seen as a criminal offence, but the authority was criticised for failing to check the candidates online media profile. Emails can also provide evidence of discrimination. In the mid-1990s a woman who worked at a City bank brought a sex discrimination case against her employer and used personal email comments by colleagues and bosses as evidence. Few people were probably surprised at the time that some male bankers had sexist attitudes but the case was notable for the way in

which it highlighted an emerging risk from internal emails. But, according to Jackson, the UK government has little appetite to increase anti-discrimination protection at present. She says that she has seen a fall in the number of claims relating to sex and race. This is partly because the law around these has had longer to bite, but also because most employers are on side with these laws, understand them and provide diversity training around them, she explains. However, she is seeing more employment tribunals on the grounds of disability and age discrimination.This is unsurprising, she says, given the ageing population and the abolition of the default retirement age. In future, she warns that organisations may need to pay more attention to other areas of discrimination that have had a lower profile in the past. Religion and belief have had quite a high profile in the media, with cases such as Eweida v BA and the B&B owners who turned away a same sex couple hitting the headlines. Employers ought to be tuned into this, she says.

Keeping step
Internal audit plays an important role in ensuring organisations have the proper

procedures to assure against these risks. Most important, according to Alistair May, affiliate member of the IIA and head of internal audit at the Scottish Government, is assurance that the issues identified are being taken forward positively and that successful outcomes are achieved. The key risk, he says, may be that the hoped for outcomes do not materialise, which would be particularly disappointing for both ministers and management. Discrimination has been a priority for the Scottish Government. Most recently, following the Equality Act 2010, Scottish ministers made regulations placing specific duties on Scottish public authorities to enable the better performance of the public sector equality duty, May says. One legislative result of this focus was the offensive behaviour at football and threatening communications (Scotland) bill, which was passed in December 2011 and aims to tackle particular problems in Scottish football and society. The Scottish Government is required to carry out an equality impact assessment when new policies are introduced. As internal auditors, we are sometimes asked to provide advice on the development of new policies and this is one of the key areas

Court in the act

What are the risks of failing to comply with equal opportunities and discrimination laws? One problem with antidiscrimination laws is that they can attract unscrupulous claims, says discrimination lawyer Karen Jackson, who has defended many employers against employees who see a performance-linked dismissal as discrimination. The best way for businesses to protect themselves is to ensure they have a thorough and well-documented policy but, more importantly, to police that in the workplace, crack down on unacceptable behaviours (especially among managers

who should be setting the tone) and provide regular training around the issues. Training is essential, partly because people dont always realise they are acting in a discriminatory way. Businesses also need well-documented and fair HR procedures to back up their actions and decisions. It is alarming how often HR representatives make procedural errors that land their employers in hot water, says Jackson. While this can be easily remedied with the right processes

keeping a paper trail of documented meetings, phone calls and discussions many organisations fail to put these in place. Employers often cant demonstrate that they considered a decision, because it happened during an informal chat between managers and HR and there is no record, she says. While records such as file notes are useful, email should be limited because it can leave a trail of incriminating evidence and employees can ask employers to provide data

about them under the Data Protection Act. Simple HR procedures, properly followed, can protect against claims of unfair dismissal on the basis of discrimination. For example, organisations must follow the right steps in the dismissal process they shouldnt go from a first informal chat to a dismissal without giving the employee warnings or help to improve. Witnesses at meetings are also a good idea, says Jackson. In employment tribunal proceedings contemporaneous written evidence will almost always be preferred over an individuals word.

Londons prestigious Imperial College recently withdrew its offer of a short internship in its science labs from a fund-raising auction at Westminster School after there was an outcry on scientific blogs and among its own students who protested that internships should be available only on merit, not for A-level students with the richest parents
we look at to ensure it is being addressed properly, May says. Legislative changes have not necessitated changes to internal audit procedures, because, May says, the governments systems, processes and culture have evolved to reflect changes in attitudes and behaviours and new priorities. For example, Scottish Government employees have a mandatory requirement to set a personal objective linked to diversity.This can be to do with working relations or conditions, developing processes or promoting policies. Some auditors can link their diversity objective to some of their audit assignment work where there is a natural alignment, he explains. Internal audit has had specific input in developing the Certificates of Assurance (CoA) process, he adds, which requires all deputy directors to complete a selfassessment checklist. The internal auditors were at the forefront in introducing the CoA process.This is now being reviewed and some of the diversity assurances it contains may need to be refreshed. We refer to these checklists in the course of related audit assurance work and look for evidence to support the self assessments declared.

The up side
It is easy to focus on avoiding the risk of discrimination and, ultimately, a legal battle. More positively, there are real benefits for organisations that embrace greater diversity. There are studies, specifically by McKinsey and Catalyst, that show a correlation between increased diversity and improved quality of decision-making, while a number of studies also link a higher representation of women on boards with

business performance, says Robertson. Whats more, treating people fairly has a positive impact on the psychological contract and thus improves productivity and profitability.There are also benefits to being seen as an employer of choice, he adds, pointing out that the post-babyboom generations put a diverse workforce high on their wish-list for employers. While most companies focus on discrimination as an employment issue, its worth remembering that in many cases a companys staff are also its customers, local ambassadors and frontline communicators. One IT company in the US found that customers reacted better when they diversified their engineering teams by recruiting people from a wider range of backgrounds and training them internally. Sending people who reflected the range of people who worked in their customers offices, rather than a team entirely made up of white men who all had the same qualifications, meant that customers felt they could ask more questions and gained better service. Supermarkets and DIY stores that have made an effort to recruit older staff have found that these employees are often better informed about products and more committed to their jobs than much younger staff, who see the job as a stepping stone to something else or a short-term option, although older workers may be less able to take on heavy physical work. Older customers often appreciate being able to talk to someone more like themselves who understands their needs. You dont need to spend much to ensure your company is an equal opportunities employer.The average cost of putting basic procedures in place is less than 1,000, according to the Employers Network for Equality and Inclusion. As new issues come to the fore and attitudes in society shift, there is scope for further changes and emerging risks. Organisations and internal auditors need to stay on their toes.

21

What planet are you on?

22

Professor Robin Pritchard explores the meaning of the universe in internal auditing terms.
ne of the questions I am regularly asked in my professional and academic capacity is how I quantify my organisations internal audit universe. To this my reply is usually: Well its good to be an internal auditor rather than a scientist. Professor Brian Cox writing in the Wall Street Journal in April 2013 explained: Quantum theory tells us that the universe we experience emerges from a bewildering, counterintuitive maelstrom of interactions between an infinity of recalcitrant sub-atomic particles. Believe me, defining the internal audit universe is much simpler than that, although the principles may well be similar. The definition of internal audit quoted in the International Professional Practices Framework (IPPF) gives us a clear steer that we should be concerned with an organisations operations; in other words, everything that our organisation encompasses and interacts with. In such terms, both the quantification of the scope of operations and their review clearly represents a massive task, but if we do not attempt to consider the entirety of the whole, how can we decide where we should focus our attention? So the issue becomes not what is the size of the universe? , as this is a simple if exhaustive exercise, but rather what is the extent of the focus for our internal audit plan in strategic and operational terms? . I therefore offer two views of how a head of internal audit might advise an audit committee over the components of the internal audit plans. The increasing prominence of governance statements and the requirement for transparent reporting of significant risks provides guidance that what matters is the assurance needs of internal and external stakeholders.The aim of the board is to deliver a clean opinion on the position of the organisation. It needs to know whether internal audit is able through its periodic and annual reporting to deliver an assurance report that supports such a statement. This should direct the focus of our internal audit plan. Can we provide assurance opinions in relation to what the board would not wish to report, presumably covering a triple bottom line of sustainability, corporate social responsibility and financial performance? We might consider this as the corporate dashboard .

If we do not consider the whole, how can we decide where to focus attention?

World-class internal audit teams are multidisciplinary and reflect the nature of the organisation

}
executive or operational management. The significant question for heads of internal audit is, therefore, whether you are engaged with this level of strategic risk within your organisation. If so, do you have the appropriate level of resources and skills to deal with risk issues that will arise across the spectrum of activity that your organisation encounters? I believe that world-class internal audit teams are multidisciplinary and reflect the nature of the organisation, with audit staff also being appropriately trained in internal audit practice so that they can fully associate themselves with the fundamental responsibilities of the role. We should therefore focus not on the whole universe, but on the most relevant aspects of it to help our organisations achieve objectives by delivering assurance that systems of control, governance and risk management are appropriate. Professor Robin Pritchard is head of the Centre for Internal Audit, Governance and Risk Management at Birmingham City Business School. He is chair of Severnside Housing and manages his own consultancy, Ra Business Services. For IIA guidance on the audit universe visit www.iia.org.uk/audituniverse.

A different way to approach this could be to look at where the board gets assurance from this is a pre-requisite of governance codes and the IPPF (standard 2050).This requires analysis of the three lines of defence, in which inherent and residual risk are assessed, before management can provide assurance over the operation of procedures. At this stage we can assume that residual risk is likely to fall into one of three categories: Deep purple an unacceptable level of risk remains, which is above the risk appetite of the board. Purple the level of risk exposure requires constant monitoring by executive management. Violet a level of risk that is unlikely to cause business disruption. Such analysis of the risks can be transposed into three areas of internal audit activity. At the deep purple level management will implement solutions to bring risk exposure within the risk appetite of the board. Internal audit activity is likely to be of a consultancy or advisory nature. In the purple area there is a control risk line where, if key controls failed, the organisation would be exposed to unacceptable or even catastrophic risk.This is where internal audit needs to provide assurance-based work as a third line of defence. The violet area is likely to feature operational activity.Therefore some compliance audit may be appropriate to reassure the board about the continuity of control and to contribute to overarching opinions relating to control, governance and risk management. The essential aspect of the internal audit plan is therefore risk-based, featuring not only the areas of perceived greatest risk, but also key controls within them. These will be the areas that the head of internal audit will recommend to the audit committee for attention, since this will directly support the governance statement. Areas where consultancy or compliance audit may be required are likely to be at the request of

23

Categories of residual risk

Critical 4 4 8 12 16

I mpac t o n b u s in e s s

Major 3
Moderate 2 Minor 1

12

1 Almost Never 1

2 Unlikely 2

3 Likely 2

4 Almost Certain 4

li k e li h o o d o f o ccu r r in g

Acceptable level of risk subject to regular monitoring Risk management measures need to be put in place and monitored Unacceptable level of risk exposure, which requires extensive management

24

When the Financial Services Authority (FSA) fined fund manager Martin Currie 3.5m in 2012 for failing to manage a conflict of interest between clients, it was a sign of heightened regulatory scrutiny of asset managers approach to managing such issues. In November last year, the FSA sent the chief executives of every UK asset manager a letter asking them to confirm that their firms had adequate conflict procedures in place. And, under the guise of the new Financial Conduct Authority (FCA), it is now said to be considering multi-millionpound fines for fund managers that use investors money to pay investment banks for access to the CEOs of their corporate clients (reportedly up to $20,000 an hour). But conflicts of interest can occur in all types of organisation. For example, the Financial Reporting Council (FRC) recently announced two investigations into the audit arm of KPMG over possible conflicts. And last October the European Court of Auditors found that a number of EU agencies, including the European Food Safety Agency and

the European Medicines Agency, had failed to manage conflict of interest situations adequately.

Sources of conflict
Conflicts of interest can occur in a wide range of situations.They might involve a clash between an employees personal interests and those of their employers customer or stakeholder. Gifts and entertainment are obvious examples, whether it is a case of a head of procurement being paid to fly around the world to attend a prestigious sporting event by a supplier trying to sell them services, or a local councillor accepting a bottle of champagne from a company and subsequently sitting on a panel deciding whether to award them work. Or it could be an individual holding shares or having another financial interest in a client, supplier or competitor. Other types of conflict occur between the interests of different clients.This is a particular problem for law firms, which are prohibited by the Solicitors Regulation Authority from acting for a client whose interests

Conflict resolution?
Words: Peter Curtis

While it might seem obvious that an MP should not accept cash from lobbyists to ask questions in Parliament, some conflicts of interest can be hard to spot and depend on an individuals role as well as the sector they work in. So how can internal audit help firms to be on guard?

Conflicts of interest might involve a clash between an employees personal interests and those of their employers customer or stakeholder.

25

{
IAs need to be aware of a recent change to Financial Reporting Council standards for external auditors that will affect how the two sets of auditors can work together. Direct assistance where external auditors take IAs into their audit team for a period of time will now be prohibited. Its a move that has been taken precisely to avoid conflicts of interest and a lack of independence , explains Melanie McLaren, executive director of codes and standards at the FRC. Clearly an internal auditor who is

Issues for councils are typically around property and procurement for officers and planning for council members

An end to direct assistance

employed by a company has a financial interest in it. External auditors will still be able to rely on the work of IAs provided that it has been scoped and managed by the internal audit function and that the external auditor is satisfied that it has been approached objectively and appropriately reviewed. There is, of course, an ongoing debate at European level over the possible compulsory rotation of external auditors and restrictions on the consultancy services that they can provide. In the UK, the FRC doesnt support mandatory rotation, but changed the corporate governance code last autumn to stipulate (on a comply-orexplain basis) mandatory retendering of external audit contracts every ten years by FTSE 350 companies. Our view is that investors deserve the best quality audit, says McLaren. In some parts of the market there isnt a large number of firms capable of carrying out a sufficiently high-quality external audit, largely because of the global reach or sectoral expertise needed. In terms of firms consultancy work, McLaren says the FRC isnt in favour of a cap on so-called audit-related services. We think it would be better to say that there are certain services that cant be provided (such as advocacy) and then place a requirement on audit committees to satisfy themselves in terms of independence, objectivity threats and safeguards on the other work.

26

clash with those of another client or of the firm itself. As a result, many now have teams dedicated to detecting potential issues. Concerns over a lack of independence can also be a problem for external auditors. In May, the FRC which sets ethical standards to ensure their objectivity and impartiality published its annual report into audit quality inspections. While it highlighted an improvement in the overall quality of external audit work, it also found that firms should reassess the adequacy of their independence and ethics procedures and the training they provide to staff at all levels. In one case, a former executive of an audited organisation rejoined its audit firm as a partner, but failed to dispose of a shareholding in the organisation for several months, in breach of ethical standards. Whatever the nature of conflicts, there can be regulatory consequences for failing to manage them appropriately. Company boards have a statutory duty under the Companies Act 2006 to avoid conflicts of interest, while the UK corporate governance and stewardship codes (overseen by the FRC) place a range of requirements on boards and investors for handling independence and potential conflicts on a comply-or-explain basis . The Bribery Act 2010 has increased scrutiny over employees accepting gifts and entertainment.The professions also have

their own ethical codes and systems of regulatory oversight. But legal problems are not the only danger from conflicts of interest theres also the risk of reputational damage. Angela Robertson, general counsel at Eversheds, notes: If a law firm takes on a piece of work for a client and a conflict of interest is subsequently identified, it could severely damage or even kill that client relationship. In some sectors particularly those where clients are sensitive around conflict issues it could have repercussions across the industry, because word would get out to others. Obviously theres a risk of adverse publicity, particularly in the legal press.

Reducing the risks

How can organisations reduce the risk of conflicts of interest occurring?The starting point is for all conflicts or potential conflicts to be declared or identified so they can be managed appropriately. At Wokingham Borough Council all councillors and senior managers are asked to complete a declaration of any known conflicts of interest annually. But this is only as effective as the training and understanding that goes with it, explains Muir Laurie CMIIA, director of business assurance and democratic services and head of internal audit at the council.

I think some internal audit teams think that getting 100 per cent completion of those forms is all you need to do. But that doesnt mean there arent conflicts of interest managers may be unaware of them or knowingly leave them off forms because it might ruin relationships they have with contractors. Issues for councils in general are typically around property and procurement for officers and planning for council members. Laurie says that Wokingham runs governance training sessions for newly elected councillors. If a council member is sitting on the planning committee hearing a planning application from one of their neighbours wanting to build a conservatory in their back garden, should they declare it? They should and thats the kind of practical example we try to give. In the legal sector, a lot of conflict management relies on processes and technology, explains Robertson. As well as being responsible for conflict management at Eversheds, she previously set up the global conflicts team at Clifford Chance after it had undergone two mergers. Every single piece of new work for a client, whether new or existing, had to go through the central conflicts team to identify whether there were any legal or commercial conflicts of interest, she explains.

Whatever the nature of conflicts,there can be regulatory consequences for failing to manage them appropriately
A law firm needs a good conflicts database containing details of all its current and historic clients and cases, she adds. You need to be able to identify what work youve done for which client over a period of time. Youve also got to have a good, clear process that everybody is aware of, so that you dont start acting on a piece of work for a client until youve checked with the conflicts team, assuming you have one. But lawyers must also be trained to understand the importance of giving the correct information to the conflicts team, she adds. A conflicts system relies on people using it properly and inputting the right information. Getting the right culture and governance framework is also an important issue for asset managers and reflects the FCAs focus on consumer protection, believes Amanda Rowland, the partner who heads up PwCs asset management regulation team. If senior management are getting the right information and are fully engaged, and the culture is right within the firm, all of these issues whether conflicts or anything else that affects consumers and products will be handled better, she says. While she believes that most firms would say that they were managing conflicts of interest in a way that they felt was

appropriate , the regulatory expectation has shifted and the level of attention from the regulator has clearly concentrated minds . Since then, firms have been looking at their written policies and procedures and ensuring they have appropriate control mechanisms for declaring, registering or managing conflicts. But there are still grey areas particularly relating to concerns raised by the FCA over the way asset managers buy research and trade execution services on behalf of clients. Clearly theres the potential for conflicts.The question is whats the best way to deal with that, while at the same time leaving asset managers with access to the best quality research that enables them to make the best decision for their funds and provide the best service for their customers. The matter is the subject of an ongoing discussion between the regulator and the industry, she adds. So whats the role for IAs in terms of managing conflicts of interest? As part of our internal audit plan, well carry out a review of declarations of interest for officers and members, says Laurie. We dont look just at the completion rate, but whether they are consistent with our cumulative audit knowledge and experience. If they arent, we can flag it up. Its also important for a head of internal audit to lead by example and be very transparent about any perceived or actual conflicts of interest that they face themselves, he adds. USEFUL resources OECD guidelines for managing conflicts of interest in the public sector: http://bit.ly/15B4Yot FSA paper on conflicts of interest between asset managers and their customers: http://bit.ly/13lfboW Hargreaves Lansdown conflicts of interest policy: www.hl.co.uk/conflicts 3M conflicts of interest policy (US): http://bit.ly/11YFsLy Companies Act 2006 a directors duty to avoid conflicts of interest (Pinsent Masons): http://bit.ly/18OjTxw

27

Good call? For the past decade hotlines have been the

indispensible favourite form of early warning system for companies in all sectors anxious to spot the first signs of all types of wrong doing. Not only is a hotline a universal talisman against evil, it pleases the regulators and impresses investors. But do they really work? Probably not, if no one ever calls them. So when are they effective and what can you do to ensure they live up to companies great expectations?
28 Words: Nick Waldron
The corporate collapses of the late 1990s and early 2000s led to a proliferation of internal hotlines for reporting wrong doing. Companies worried about similar catastrophes saw hotlines as an early warning system that would enable them to address problems internally before they grew out of control and were exposed externally. Hotlines are cheap to install, are considered best practice and are even mandated by legislation for particular types of business operating in certain countries. The success of hotlines at detecting fraud is widely reported. In its 2010 Report to the Nations on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners found that: Hotlines were the control with the greatest associated reduction in median [dollar] loss, reinforcing their value as an effective anti-fraud measure. Hotlines also have the support of some business heavyweights. In one of his chairmans letters for Berkshire Hathaway Warren Buffet stated: Berkshire would be more valuable today if I had put in a whistleblower line decades ago. So, if hotlines are cheap, effective, recommended as best practice and sometimes mandatory, their implementation is presumably a no brainer? Well, not quite. There is some disquiet in organisations that have implemented hotlines. A post on the IIAs discussion forum by Guvnor Hans stated that his organisations whistleblowing policy had been running for two years and had not had a single response. He posed the rhetorical question: Does this mean that everything is OK inside the organisation, or that the scheme to prompt people to report wrong doing has failed? The ensuing thread indicated that other auditors had similar experiences with their organisations hotlines. Is it conceivable, then, that the hotline is not always the cheap, effective wonder drug it seems, despite being prescribed widely to fight wrong doing in all its various forms on all fronts since the beginning of the century?The success of hotlines at detecting fraud in large organisations is borne up by the statistics, but are hotlines effective at detecting or deterring other types of wrong doing in other types of organisation in other countries and cultures? This question prompted us to try to determine the effectiveness of whistleblowing

hotlines in detecting and deterring various types of wrong doing across a range of organisation types, sizes and sectors in different countries and cultures. We conducted an internet survey from May to September 2012, which received 137 usable responses (some of which were followed up with interviews). Of these responses, 87 had some form of whistleblowing hotline in place, although use varied in different organisations. The first problem to overcome when assessing the effectiveness of a hotline is

One interviewee cynically suggested that his employer had set up a hotline and then failed to man it to avoid detecting wrong doing
what to use as a measure of effectiveness. In order to determine both the metrics against which to measure and the targets to aim for within those metrics, hotline operators need first to establish what they are hoping to achieve in setting up a hotline. If, as 18 per cent of survey respondents indicated, the aim is to meet a regulatory requirement, the mere presence of a hotline achieves the objective.The risk is that hotline implementation becomes an end in itself. One interviewee cynically suggested that his employer had set up a hotline, but had then failed to man it in order to avoid detecting wrong doing channelling complaints into a black hole.This view was echoed by PriceWaterhouseCoopers 2011 report Corruption and Conflict of Interest in the European Institutions:The Effectiveness of Whistleblowers which stated: It appears that the EU institutions are looking to avoid negative news rather than intrinsically seeking to promote correct and transparent culture.

Diligent hotline operators are likely to require more from the hotline than its mere presence.They might expect, for example, an increase in the detection of wrong doing or a decrease in wrong doing itself.They then need to measure the achievement of such objectives. One obvious measure of effectiveness is numbers of reported incidents.These figures are used in, for example, reporting hotlines success in detecting fraud. However, used in isolation, incident numbers may not be an appropriate measure of effectiveness. For a start, numbers of reported incidents are often too low to demonstrate quantifiable improvements in control.The survey showed that during 2011, 52 per cent of respondents received ten or fewer calls. Small numbers of reported incidents may hamper meaningful trend analysis, but do not necessarily indicate that a hotline is ineffective. In its Whistleblowing Code of Practice, the British Standards Institution argues that one single, well-founded concern can more than justify the modest expense that whistleblowing arrangements incur . Moreover, some reported incidents may be frivolous calls or calls that cannot be substantiated with evidence, particularly when hotlines accept anonymous calls (92 per cent of surveyed hotlines). One survey respondent stated: Most of the reported incidents turn out to be unsubstantiated and many of the anonymous allegations are malicious or vexatious. The survey found that hotlines accepting anonymous calls receive more calls than those that dont. However, 23 per cent of respondents indicated that only ten per cent or fewer of the calls they received offered evidence of actual wrong doing.The remaining 90 per cent are what Miceli, Near and Dworkin refer to as noise in their study Whistleblowing in Organizations. Furthermore, a simple rise in the number of reported incidents may not be a good

29

30

indicator of a hotlines effectiveness. If the hotlines objective is ultimately to deter would-be wrongdoers, the hotline operator might hope for an initial rise in reported incidents as potential whistleblowers gain the confidence to take the plunge, followed by a decrease as would-be wrongdoers realise they might be punished.This ideal trend was observed by only between one and eight per cent of respondents for personnel-related incidents and security/ confidentialityrelated incidents respectively. As the ideal trend was observed only rarely, the research used any increase in the amount of detected wrong doing, together with the opinions of respondents, as measures of effectiveness.The results were analysed by geographical region, by organisation size and by organisation type (charts 1 and 2). The first indicated that survey respondents across all geographical regions have largely positive impressions of the effectiveness of their hotlines. Interestingly, respondents from regions where whistleblowing is well established and supported by comprehensive legislation

Confidence in hotlines can quickly crash if users have bad experiences

(Australasia, North America and the UK and Ireland) were less positive than those from other regions, possibly because of longer experience, or as a result of resistance to wider ranging legal requirements in those regions. In this analysis the largest increase in the detection of wrong doing was in fraud. However, in 33 per cent to 54 per cent of responses (depending on region), there was no increase in fraud detection. When it came to other types of wrong doing even more respondents said they saw no increase in detection. Analysis by type of organisation also showed that positive impressions of hotline effectiveness are more widespread than increases in the detection of wrong doing. It is interesting to note the relative opinions of the effectiveness across different organisation types. International organisations have a 100 per cent positive perception of their hotlines effectiveness (albeit for a small response population), possibly because of more recent implementation. Not-for-profit organisations have the second highest perception as well as the highest increase in the value of detected fraud the two findings

may be linked. Respondents from government have a slightly more negative opinion of the effectiveness of their hotlines than those in other sectors, possibly because hotlines have been imposed on them. Analysis by organisation size shows that perceptions of a hotlines effectiveness are generally higher than actual increases in detected wrong doing.The exception to this is in the largest organisations, where increases in detection rates are significantly higher.There is almost no increase in detected wrong doing following hotline implementation in organisations of 101-1,000 employees, where opinions of effectiveness are also lowest. Apart from fewer employees reporting fewer incidents, it may be that the intimacy of a small organisation increases the risk of confidentiality breaches, or leads to lenient sanctions so people believe reporting is risky and not worthwhile. A more positive interpretation is that team spirit in small organisations leads to less wrong doing. Either way, for the small organisations surveyed, hotlines were ineffective at

increasing detection of wrong doing. Overall, positive opinions of the effectiveness of hotlines range between 70 per cent and 100 per cent, whereas increases in the detection of wrong doing generally range from zero to 60 per cent. So survey respondents have a more positive impression of the effectiveness of their hotlines than is borne out by detection rates. Some survey respondents indicated that their hotline was implemented to meet their corporate responsibility requirements and that effectiveness need not necessarily be determined by an increase in the detection of wrong doing. Others felt that a lack of calls indicated ineffectiveness. One respondent stated: There has been no measurable difference in wrong doing being reported or uncovered since the hotline has been introduced. In terms of increased detection or deterrence, the small numbers of valid calls make it difficult to quantify hotline effectiveness in all but the largest organisations. In its Good Practice Guide on Speak Up Procedures the Institute of Business Ethics says that,

There is almost no increase in detected wrong doing following hotline implementation in organisations of 101-1,000 employees.

without comprehensive records, it is impossible to measure the effectiveness of whistleblowing mechanisms.This leaves hotline operators with a dilemma best practice is to keep records to measure effectiveness, but they have very few cases on which to hold data.This brings us back to how we know if the hotline is working when no one calls it? Various data can be gathered by operators to measure a hotlines effectiveness. Where incidents have been reported, they should retain detailed records of the validity of the report, the response and resolution time and the outcome (eg, sanctions, policy change, internal control improvements). Arguably more useful than this quantifiable information, is the opinion of the whistleblower (although this might not be possible if the caller is anonymous). Was their case handled fairly and in good time? Was the outcome reasonable? Was confidentiality respected? Were they kept informed? Did they suffer retaliation? The success of a hotline depends on whistleblowers coming forward. It can take a long time to build confidence to report and this can crash quickly if users have bad experiences. Without

% of total responses

user confidence, the hotline is dead and without comprehensive records the operator may not know it is dead. Measuring hotline effectiveness need not, however, be limited to data on reported incidents. Staff surveys can gauge opinion of hotlines. Questions should not be restricted to are you aware

Measuring hotline effectiveness need not be limited to data on reported incidents

How to measure a hotlines effectiveness

Decide on the purpose of your hotline. What type of wrong doing may be reported? Does it accept anonymous calls? Set your objectives and determine how to measure them. Set realistic, tangible targets. Keep comprehensive records. Measure what you can through hotline statistics on reported incidents. Where possible, obtain detailed feedback from whistleblowers. Conduct confidential staff surveys to determine staff opinion of the hotline. Benchmark against similar organisations. Conduct before and after comparisons of data related to wrong doing (eg financial loss through fraud).

of the hotline? , but should ask would you report wrong doing that you witnessed? , and if not, why not?You could benchmark against similar organisations hotlines using reports such as the 2010 Corporate Governance and Compliance Benchmarking Report by BDO Consulting andThe Network to measure your hotlines relative effectiveness. To measure the effectiveness of the hotline as a deterrent, you need comparisons of before and after data related to the consequences of wrong doing (eg theft data, costs of legal cases or information leaks). Credibility is crucial. An ineffective hotline that is seen as window-dressing can increase staff cynicism towards management and is likely to damage rather than help the fight against wrong doing. It is vital that hotline operators are clear about what they want to achieve, and then actively monitor (by recording and analysing detailed records) the achievement of their objectives. It may be complicated to measure effectiveness, but without constant monitoring,

measurement and adjustment, the hotline is doomed to fail. Nick Waldron CMIIA is internal auditor at the European Space Agency headquarters in Paris.

31

1. Respondents who see hotlines as effective by organisation size

100 80
75% 100% 80%

60 40 20 0

69%

76%

1-100

staff

1001,000

1,00110,000

10,001- >100,000 100,000

2. Respondents who see hotlines as effective by organisation type

100
% of total responses
100% 86% 71% 75% 78%

80 60 40 20 0

Government International organisation Private company PLC Not for profit

FOR MORE INFORMATION To read full versions of the tables shown above visit www.auditandrisk.org.uk

Tools for the job

Quantifying quality
Its easy enough to see how much internal audit costs, but can you improve the way you demonstrate the value that your organisation gets in return? Scott Wallace finds some pointers in the results of new research by KPMG in Scotland.
We are currently in a period where businesses need to take risks to grow, yet have a low tolerance of failure. The role of internal audit has, arguably, never been so important, yet the cost of internal audit is becoming ever more visible and this means it can be challenged. So internal auditors need to demonstrate the value delivered by their function. Researchers from KPMG, at the IIA Scotland conference in November, asked representatives from some of Scotlands biggest companies: Can you measure the value delivered by your internal audit function? This research was supported by a series of workshops that added qualitative value. It identified three key challenges: strategic; measurement; personal/ personnel. The strategic challenge: surprisingly, one of the main challenges facing internal audit is a lack of clarity around its strategy and remit. Nearly a quarter of those polled were either unaware of, or did not have, an internal audit strategy. You need a clear remit and strategic positioning of the function to know what to measure. The problem is exacerbated by a range of reporting lines for the chief audit executive. Paradoxically, almost all respondents had performance incentives that included measurement criteria. So performance measurement is part of the culture and, therefore, we need to shift the focus to the links between performance and the internal audit strategy. The simple step of engaging with the audit committee and executive management to define their needs and requirements should help to inform future work. The measurement challenge: how to measure added value is a crucial question and is generally seen as the most difficult part of the process. Measuring internal efficiency and productivity is now more common. The research suggests that 96 per cent of private sector and more than 80 per cent of public sector organisations measure department performance. In these cases more than 40 per cent provide the performance statistics in their reports to audit committees. However only 20 per cent of respondents measure value-driven items such as savings, fraud prevention and identifying control weaknesses. So measuring results is more difficult and much less prevalent than measuring activity. The personal/personnel challenge: does the measurement challenge indicate a personnel challenge? Responses showed a clear link between internal audit performance objectives and those of internal auditors (in almost all cases around 95 per cent). Equally, they showed no link between cost savings, value adding and the personal objectives of internal auditors. This may be a chicken and egg dilemma and further indicates the lack of definition described above. Respondents also indicated that further work is needed to establish the right IA resource quality and mix. More than 30 per cent said they need greater depth of functional resources. Most people agree that it is desirable to demonstrate the value of internal audit. So what can the profession do to show the value it adds and share experiences as a profession and functional activity? The research pointed to four areas: 1. A clear remit: make visible and be clear about internal audits responsibilities and what it will, and will not, undertake and assure. 2. Improve quality and maximise the internal audit report communication. Link reports to the organisations strategy, objectives and values. Make them relevant to the organisation and ask recipients what they want. 3. Commission independent, interview-led feedback. Getting feedback from areas being audited can result in a conflict of interest. It is more valuable when obtained in an independent interview. 4. Identify a Top Ten set of common measurement criteria to form a dashboard of internal audit delivery. This should audit progress against the IA plan, give quarterly updates of high-risk audit areas, benchmark similar processes across the organisation and get feedback on any inconsistencies. Scott Wallace is director for internal audit, KPMG, in Scotland.

32

Career development

In the beginning

What factors should you consider when establishing and embedding a new internal audit function? What challenges will you encounter, and what opportunities might arise? Ross Boreland CMIIA offers some advice.

he importance of a strong internal audit function is not always obvious to managers or employees. Some see it as an overhead or a source of awkward questions that hinders operations. So first you need to understand what drove the decision to establish the function. Did the board have no option (is it a regulatory requirement)? Did shareholders or a parent company demand it or external auditors recommend it? Did the board want an internal audit function? Did something happen which made it impossible not to have internal audit? You then need to consider the corporate structure of the organisation and plan how to introduce an audit function with the best possible standards. These questions enable the head of a new internal audit function to put their position in a wider context. The answers should indicate the priorities of the board and ensure that your audit plan covers the key issues. They might also identify areas where internal audit needs to win trust. Ask how the board and management see the role of internal audit. If they want the function to fulfil static objectives, such as generic balance sheet or income statement reviews, it might be difficult to develop a wider role. This can also be a problem if the function is set up in reaction to an incident. Your first audit plan will probably address the key concerns of the board. It

may or may not be linked specifically to the organisations risk register, but it will be geared to the areas where the board needs short-term assurance. At this stage the function will probably have limited resources and may have enough work completing even a simple plan. When you start to develop the role, you need to know the organisations position on risk management. An open-minded attitude should enable you to align the audit plan with the organisations strategic objectives. Risks can be incorporated as they are identified. Informal approaches to risk management make this more difficult. Inherent risk may be inadequately documented and information can be trapped in management silos. Managers might believe they are managing risk, but these risks may be historic, generic or function- specific and may ignore support departments where the impact of incidents is not immediately apparent. Managers may not agree which risks need to be addressed. If so, you will have to learn more about the organisation and find the best way to discuss it. Putting the work in now should help to identify non-assurance areas where internal audit can add value, and conversations, questions and suggestions may open managements eyes to more risks. You may need to make difficult choices about audit scope. If regulators demand particular reviews, you may have little time for other areas. If the board merely wants reassurance about the numbers, it might restrict audits to

balance sheet and income statement reviews. Alternatively, the board may want a comprehensive plan without providing resources. If so, you must explain the implications and manage expectations. Delivering results is central to demonstrating the value of internal audit. Use early reports to identify new areas of work and show management that you can do more than what they initially wanted. Discuss issues to ensure that all parties are clear about what reports mean. Grading findings will be a hot topic, particularly if managers are new to audit, or used to getting low grade issues. Negotiating the wording of findings and grades can be difficult, but it helps you to focus on what is important. If managers or staff fear recriminations, they will resist. You need to work with the board, managers and staff to allay fears. A board that accepts and delegates responsibility for issues makes it easier for internal audit to be a partner, not an agency of blame. You cannot change a blame culture overnight, but you can stress that your concern is rectifying problems and enhancing controls. Building trust improves information flows, makes audits more efficient and encourages staff to raise issues. It takes time to embed a function. If you understand your business and deliver a quality product, you will create opportunities for internal audit to add real value. Ross Boreland CMIIA is assistant manager, enterprise risk services, Deloitte, Dublin. The IIA recently issued guidance on setting up an IA function at www.iia.org.uk/setupnewIA

33

You asked us

Q&A

Our technical helpline provides valuable advice to members on a host of professional issues. Hereare some of the questions youve submitted recently.
emphasise that, if challenged, you should feel confident and able to provide sufficient evidence to support your views and recommendations. Thinking about the way your working papers link together and how much time it takes to complete them will help you to improve operations (efficiency), but this is secondary to providing reliable assurance

34

Q. I am looking for advice about conflicts of interest. I have recently moved into an audit role from an operational role and want to clarify what would be a reasonable length of time before I can audit the area where I worked? A. Ideally I would steer clear of auditing an area where you previously had responsibility. You may feel objective, but this may not be the view of your former colleagues and that may make it hard to agree conclusions and recommendations. If you have no option its generally thought that a one-year lapse is needed. Practice advisory 1130.A1-1 states: Persons transferred to, or temporarily engaged by, the internal audit activity should not be assigned to audit those activities they previously performed or for which they had management responsibility until at least one year has elapsed. Such assignments are presumed to impair objectivity, and additional consideration should be exercised when supervising the engagement work and communicating engagement results. Q. I am looking for guidance on creating and maintaining good working papers. A. The format of working papers is less important than the content. The key aspect is to record relevant information such as your objectives, work programme, results of interviews, the extent of testing and the results from testing. All of these show how you have formulated your conclusions and your opinions. The international standards do not prescribe the format as such, but

Ideally, I would steer clear of auditing an area where you previously had responsibility.
(effectiveness). Lastly, working papers are the property of the organisation, so the head of internal audit needs to control access, develop retention requirements and obtain appropriate authority for their release. This will involve designing and implementing policies and procedures. Q. Can you advise me on what is best practice for the approval of a purchase requisition and subsequent purchase order? Does finance have a value-added role to play in this or should they allow budget holders to control spend? A. Im not sure there is such a thing as best practice any more, just a wide range of differing practice as organisations redesign procedures to take advantage of new technology and work to reduce costs. For example, I know one organisation that has removed requisitions altogether and automatically pays invoices if they match

the purchase order amount. They take the view that cost savings in time and staff reductions significantly outweigh the risk of errors and fraud. Some finance departments adopt a monitoring and control role as well as a processing role. This involves checking certain things are correct, eg, coding, use of preferred suppliers or competitive quotations. You could call that added value, but it comes at a cost. The alternative is to push some of those responsibilities on to management to spread the load or to develop new tools. My advice is to encourage a risk assessment of the purchasing process from start to finish with review of required responses. If that has been done, you could assess how effective that is and verify that controls are working. This will give an all-round view of risk management rather than looking at things on a control by control basis. Q. Is it compulsory for all UK listed companies to have an IA function? A. There is no mandatory requirement for listed companies to have an internal audit function, but it should be something that audit committees consider on an annual basis. Absence of an internal audit function should be explained in the annual report.

I know one organisation that has removed requisitions and automatically pays invoices if they match the purchase order amount

The following three documents and extracts provide more information and may be of interest. 1. Guidance for audit committees, the internal audit function, ICAEW, March 2004: Whether to have an internal audit function. Having an internal audit function is not mandatory for listed companies, although it is for certain public sector organisations. Therefore the board of a smaller listed company may decide that it already gains sufficient assurance on risk, control and governance from other assurance activities within the organisation, for example, directly from regular management information and self-monitoring, from other assurance functions such as security or health and safety or from its external auditors. In short, a company may conduct internal audit activities even though there is no internal audit function. 2. Guidance on Audit Committees 2010, Financial Reporting Council, page 11 4.10/4.11: The audit committee should monitor and review the effectiveness of the companys internal audit function. Where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the

board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report. The need for an internal audit function will vary depending on company specific factors including the scale, diversity and complexity of the companys activities and the number of employees, as well as cost/ benefit considerations. Senior management and the board may desire objective assurance and advice on risk and control. An adequately resourced internal audit function (or its equivalent where, for example, a third party is contracted to perform some or all of the work concerned) may provide such assurance and advice. There may be other functions within the company that also provide assurance and advice covering specialist areas such as health and safety, regulatory and legal compliance and environmental issues. 3. UK Corporate Governance Code 2010, Financial Reporting Council, page 32: In addition to the comply or explain requirement in the listing rules, the code includes specific requirements for disclosure which must be provided in order to comply including: The annual report should include where there is no internal audit function, the reasons for the absence of such a function (C.3.5). Q. Our external auditors have advised our internal auditor, which is a small one-person external consultancy practice providing internal audit services, that an external assessment is required to evaluate the quality of the internal audit service provided. This is to accord with the requirements of the International Standards for Professional Practice of Internal Auditing (Standards). My reading of paragraph 1312 external assessments of the said standards is that external assessments apply to in-house provision and not to external providers. In addition,

paragraph 2070 suggests to me that the review carried out inhouse to ensure that governance arrangements are effective, which includes internal audit, would negate the need for an external assessment to be done on an external internal audit service provider. A. Our standards are written as a general set of principles that can be applied by in-house and external providers of internal audit. In other words, all of the standards, including the ones on quality, apply to all forms of delivery. This means external providers need to have five-yearly assessments. I have done some of these as part of the EQA service the institute now offers. Standard 2070 was added in 2011. Its purpose is to emphasise that the organisation is ultimately responsible for the effectiveness and quality of its internal audit service when the service is outsourced. An organisation cannot put the blame on the provider if part or all of the service does not live up to expectations 2070 puts the onus on management to do something about it. This increases rather than negates the need for an EQA where an external provider of internal audit occurs. We recognise that it may be difficult to apply all the standards in small or oneperson internal audit activities so our global body has issued some guidance on how to apply the standard in such circumstances called Assisting small internal audit activities in implementing the International Standards for the Professional Practice of internal audit. This can be accessed at http://bit.ly/12raWv4. This guidance recognises that cost may be an issue and advocates peer review as a cost-effective option. The problem for you is that a firm may be reluctant to have a competitor carry out its EQA, which is why we now offer a service. Got a question? Contact Chris Baker on the IIA technical helpline on0845 883 4739 or email technical@iia.org.uk

35

Additional news, features and views are posted online all the time. Go to www.auditandrisk.org.uk to see whats new.

UPDATE
Heads of internal audit rubbed shoulders with high-profile business leaders and senior figures from other professional bodies at the institutes annual dinner on 20 June. The event took place in the beautiful surroundings of the Guildhall in London. One highlight was a thought-provoking speech by Douglas Flint, group chairman of HSBC Holdings, which was particularly timely given the challenges and regulatory changes currently affecting the banking industry. No annual dinner would be complete without prizes to recognise outstanding

We round up the latest business and regulatory news to affect the internal audit profession.

IIA awards celebrate best and brightest

achievement by members and students. This year Phil Tarling CFIIA was awarded the JJ Morris Award For Distinguished Service, while Helen Higgs CMIIA and Iain Burns CMIIA both accepted Special Awards 2013. Achievements in IIA exams were celebrated with prizes for top performing students. The Peter Hook Prize 2012 was awarded to Alexis Stirling CMIIA and Joanne Clewes won the Charles Duly Prize 2012. Interviews with the prize winners and photographs of the event can be found on the Audit and Risk website at auditandrisk.org.uk.

Face-to-face learning
The IIA is planning a pilot face-to-face learning programme for the IIA Advanced Diploma to be delivered in London. Students will receive all the relevant study materials, including the institutes texts, learning packs, and a CD-Rom with extra content. As with the IIAs distance-learning programme, the focus is on equipping students to be excellent internal auditors. The pilot will run in September and can accept a maximum of 15 students, so if you are interested, you should book early. Contact the learning office on 020 7819 1939 or email learning@iia. org.uk for more information.

36

London conference 2014

The IIA will host the largest annual gathering of internal auditors next year.
The Chartered Institute of Internal Auditors will host the IIA international conference in 2014.The IIA Global international conference committee chose London partly because of the success of the IIAs own national conference. The conference is the largest annual gathering of internal auditors. More than 2,000 delegates from 100 countries across the world will gather to hear international speakers, educators and professionals discuss a range of topics designed to enhance their knowledge and share best practice. Delegates will benefit from learning about the global audit experiences of recognised practitioners as well as expanding their professional network.They will also be able to visit a huge exhibition and enjoy a gala evening. Although 2014 still seems some time away, the institute has started planning for the conference and will need your support. Visit www.iia.org.uk for regular updates and follow the IIA on Facebook, LinkedIn and Twitter for news and exclusive offers. FOR MORE INFORMATION If you are interested in speaking at the event, nominating someone you know or volunteering your time, contact Ann Cantillon at ann.cantillon@iia.org.uk

Calling all HIAs IIA launches its first annual survey of internal audit
In July we will be launching the IIAs first ever annual survey of internal audit. We will be asking all heads of internal audit to tell us more about the profession. We need your input so that we can understand and analyse the professions strengths and development needs.This will help us to communicate to regulators, legislators and the media, as well as your audit committee chairs and chief executives, more about the value and importance of internal audit. Watch out for our online survey, which will be available on our website and e-mailed to you soon.The results will be posted online later this year.

Maintaining an internal control framework that is fit for purpose in these challenging times is imperative. Doing so presents a significant challenge.
Take control of your business processes with ICE

ICE helps organisations design, document, monitor, report, and continuously improve their internal control environment.

For details and brochure see www.whitehallmanagement.co.uk info@whitehallmanagement.co.uk

IA TB Half page ad Jan

4/12/12

15:21

Page 1

Rigorous, Insightful, Objective, Expert, Efficient

Thats what you want to be as internal auditors. Its what your board and management expect you to be. Your annual effectiveness self-assessment needs to be just the same. And Thinking Board our web-based self-assessment service gives you this and more. Thinking Board draws on Independent Audits expertise in conducting external reviews of internal audit. Its easy to use, helping you gather feedback from a wide range of people across the organisation. Its imaginative questions and question design tells you more than youd expect. And clever automated reports allow easy analysis and ready insight. If youd like to find out more about Thinking Board or to arrange a demonstration, please contact:
hanif.barma@independentaudit.com +44(0)20 7220 6584 tim.anderson-edward@independentaudit.com +44(0)20 7220 6545
A service from

Independent Audit Limited, 4 Bury Street, London EC3A 5AW

Events
For further information or to book, click the Training and events tab at www.iia.org.uk, email trainingandevents@iia.org or call 020 7498 0101. IIA regional events and special-interest groups should be booked directly with the organiser using the contact details provided.

38

IIA training courses & events

July
10
HIAS forum security for your business London

18-19

Auditing projects, project management and project risk London

10-12

Internal auditing a beginners course Surrey

17
The internal auditors guide to strategic thinking London

September
3
Ultimate persuasion techniques LONDON

11-12

10-11

IIA Award in the internal audit planning and assurance framework London

IIA Annual Conference 2013 Expect more, harnessing the power London

17-18
IIA Award in effective delivery of audit and assurance York

16-17

4-5

19-20

Heads of internal audit induction master class York

A practical guide to evaluating risks and controls London

Post your event

IIA Award in interpersonal skills for audit and assurance York

17

4-6

Audit report writing London

Cheia Higher Education Internal Audit Conference Glasgow

IIA regions and specialinterest groups may include details of upcoming events. Contact trainingandevents@ iia.org.uk please state the

25-26
Techniques for effective testing York

17-18

IIA award in corporate governance and risk management London

10

event title,date, venue and contact details.

HIAS forum social, economic and political risk how to focus on key issues London

The deadline for the September/October issue of Audit & Risk is 17 July.

26

Assurance mapping a practitioners workshop London

IIA face-to-face tuition available for November 2013 exams

The IIA offers a comprehensive face-to-face learning programme for IIA Diploma students studying towards the November 2013 exams.
Choose the Institute for your support
s s s s Four days of intensive syllabus-focused tuition Bespoke learning texts and workbooks Detailed feedback on assignments Expert and experienced tutors

Register now! Limited places available Our workshops are guaranteed we promise never to cancel

2013 Tuition workshops scheduled in London

s s s s s P1 The Internal Audit Environment 09-12 September P2 Financial Risks and Controls 16-19 September P3 Internal Audit Practice 24-27 September P4 Information Systems Auditing 02-05 September P5 Corporate Governance and Risk Management 16-19 September

Dont delay - start your journey to become a Chartered Internal Auditor today. Contact IIA Learning: Tel 020 7819 1939 email learning@iia.org.uk www.iia.org.uk

Student noticeboard

Student noticeboard
Essential information for exam candidates. Visit the Student information centre at www.iia.org.uk for updates.
You can request either a clerical check of your script or a full review including a clerical check and a report giving feedback on your performance. Options cannot be changed after submission. The first option costs 51 plus VAT and the second option costs 107 plus VAT. You can apply for a review only via the application form on our website. Submissions must be received at the institute by 5pm on Wednesday 28 August. Review requests may be submitted only by students. Further information will be supplied with the exam results. You will get your review results within four weeks of the institute receiving the request and the fee. If a review results in a grade being revised from a fail grade to a pass grade, you will be notified and the review fee will be refunded.

Publication of the June 2013 question papers

The June 2013 question papers are now available at www.iia. org.uk/pastpapers. Please note that the IT Auditing Certificate paper and the P2 Financial Risks and Controls multiple-choice questions are not published as they contain secure question bank materials.

Open University accreditation opportunities for your CPD

The Open University awards general credit ratings to external bodies to give formal recognition of their qualifications. Since 2007 the Open University has recognised that the institutes professional qualifications are postgraduate

40

Release of the June 2013 exam results

The results of the latest assessments of the IIA Diploma, IIA Advanced Diploma and IIA IT Auditing Certificate will be dispatched to students on Wednesday 14 August.

level with up to 60 general credit rating points available for each of the IIA Diploma and the IIA Advanced Diploma, and up to 30 points available for the IIA Qualification in Computer Auditing. Qualified members can use these credit ratings to support an application to study a further qualification at a higher education institution. Members can also take advantage of awards of specific credit towards particular Open University distance-taught qualifications. For further information on Open University accreditation for IIA qualifications visit www.iia.org.uk/openuniversity.

Release of the past paper packs and the chief examiners reports
The past paper packs and the chief examiners reports from the June exam session will be available from Monday 9 September at www.iia.org.uk/ examreports.

November 2013 exams

Exams will be held from Monday 25 November to Thursday 28 November. Module IIA Diploma P1 The Internal Audit Environment P2 Financial Risks and Controls P3 Internal Audit Practice P4 Information Systems Auditing P5 Corporate Governance and Risk Management P7 Internal Audit Practice Case Study IIA Advanced Diploma M1 Strategic Management M2 Financial Management M3 Risk Assurance and Audit Management M4 Advanced Internal Auditing Case Study IIA IT Auditing Certificate A1 IT Auditing Certificate Multiple-Choice Questions Monday 25 9.30am to 11.30am Monday 25 Tuesday 26 Wednesday 27 Thursday 28 2pm to 5.10pm 2pm to 5.10pm 2pm to 5.10pm 2pm to 5.10pm Monday 25 Tuesday 26 Tuesday 26 Wednesday 27 Thursday 28 Thursday 28 9.30am to 12.40pm 2pm to 5.10pm 9.30am to 12.40pm 9.30am to 12.40pm 9.30am to 12.40pm 2pm to 5.10pm November 2013 Time

Requesting a feedback review of exam results

The results, feedback review and appeals policy is available at www.iia.org.uk/students. Students dissatisfied with their exam results should read this information as soon as possible.

global brand boutique offering

Randstad Financial & Professional, formerly Martin Ward Anderson, now has a specialist corporate governance division covering: internal audit internal controls risk management IT audit SOX

our candidates Our network includes IIA members, newly qualied chartered accountants, multilingual and high-level internal audit directors. services available to you We also offer industry information for both clients and candidates: recruitment reviews & market insights global interviewing facilities interview advice CV writing

our approach Each client is unique so we tailor our approach to each role. We have experience in providing a number of recruitment solutions including: headhunting professional referrals retained campaigns multi vacancy campaigns contingent recruitment international campaigns

get in touch Whether seeking your next role, or hiring for a niche skill set please contact our corporate governance experts, quoting reference IIA. T: +44 (0) 207 786 6563 E: matthew.winstone@randstadfp.com W: www.randstadfp.com

Head of Audit and Assurance 61,171 - 68,849 Risk and Assurance Auditor 37,029 - 42,491
London SW6
The Mayors Office for Policing and Crime (MOPAC) discharges a broad range of statutory duties and is directly accountable to the Mayor and Deputy Mayor for Policing and Crime in delivering their agenda for London. It is dedicated to building a professional, highly skilled workforce that will assist in delivering the Police and Crime Plan for London. You will be joining the MOPAC Directorate of Audit, Risk and Assurance, a well-respected unit that has the interesting and challenging job of providing the internal audit service for the MOPAC and Metropolitan Police Service (MPS), and under a shared service arrangement, the London Fire Brigade and the Greater London Authority. As one of three Heads of Audit and Assurance, reporting to the Director, you will develop audit strategies to; help address key strategic risks associated with change, improve the internal control framework and ultimately deliver more efficient services. This offers you a rich variety of challenges and the opportunity to influence change at a senior level across a varied client base. The confidence, integrity and ability to operate at a senior level are essential. This will call for senior management experience in internal audit that includes providing risk and control advice to major change programmes, ICT technical knowledge and a thorough understanding of modern-day internal audit concepts and standards. You will be qualified to at least CMIIA or CCAB level, and a current member of the appropriate professional body. As a Risk and Assurance Auditor you will identify key risks, evaluate and test controls and identify areas of improvement, by planning and carrying out programmed audit assignments. A good level of practical internal auditing experience is essential and that will be supported by a recognised qualification (AAT/ PIIA) together with membership of the appropriate professional body. You will be someone who has a thorough understanding of risk-based auditing and the personal qualities and credibility to operate effectively as a representative of the MOPAC. In addition to an attractive salary package, the MOPAC offers a range of benefits including 32.5 days annual leave, interest free travel season ticket loan and a beneficial pension scheme and an emphasis on personal development and training. To apply please visit www.london.gov.uk/priorities/policing-crime/working-mopac for an application form or call 02071612461/3 for more details. Completed applications should be returned to recruitment.audit@mopac.london.gov.uk Completed applications must be returned by 22 July 2013. The Mayors Office for Policing and Crime is an equal opportunities employer.

Senior Internal Auditor

Competitive Salary + Benefits Chatham, Kent

At Vanquis Bank were very proud of the service we provide to our customers and of the many highly skilled professionals we have working across our business. Were also proud to be award winners, having received the Credit Card Provider of the Year award for the last four years. Having now accepted over 1.5 million customers across the UK and with highly ambitious plans for future growth, we are always looking for driven, ambitious and talented team players interested in becoming part of our incredible success story. With the continued expansion of our business, we now have an exciting opportunity for a highly skilled auditor who, as well as working on the UK credit card side of our business is keen to gain experience of our international operation, loans and dealings with suppliers. Reporting to the Head of Internal Audit, you will ensure there are sufficient controls in operation throughout the bank and that our directors can be confident they are operating effectively and efficiently. This will involve taking assignments (on your own or as team leader) lasting around 4 weeks to check that this is the case. You will also draft and update relevant policies and procedures to improve the control of risk identification, follow up recommendations and carry out ad hoc tests. This isnt a standard auditor role as you will be working on diverse projects including international, non-credit card and third party supplier activities Most of your time will be spent at Chatham, but you will also travel to our London and Bradford offices, as well as occasionally travelling to our offices abroad and visiting suppliers. With extensive audit experience in a multi-departmental business supported by full or part PIIA, ACCA or CIMA qualification and other relevant expertise, you will be able to demonstrate the strong analytical skills and attention to detail we seek. You must be able to identify a system and understand why the controls it uses are in place yet still question whether they are as effective and efficient as they can be. Focused, determined and objective, you have to be able to work with minimum supervision, and act with discretion and diplomacy. The ability to express yourself well in speech and writing will help you achieve this, while your good time management and willingness to work extra hours when necessary will ensure you are always on top of your work. To apply, please send both your CV and a covering note clearly explaining your reasoning for wanting to join Vanquis to: recruitment@vanquisbank.co.uk

Internal Auditor
Permanent: Full time Salary range: 24,958 - 29,373 Location: Camberley, Surrey
At Surrey Heath we believe that it is important that we provide excellent value and efficient services to our residents. To help us meet this aspiration we are now seeking a qualified internal auditor to join our small audit team to undertake a wide range of audits across the Council. Ideally we are looking for someone with experience of working in the public sector although this is not essential. More importantly you should be a self-starter, able to understand a variety of systems quickly, be challenging but constructive in your audit work and able to communicate with people at all levels in the Council both verbally and in reports. You will have: Audit Qualification (IIA, CIPFA or equivalent) Experience in risk based internal auditing Experience of the entire audit process from the scoping and planning of the audit, its execution and assessment leading to the final audit report A generous benefits package includes; a minimum of 24 days annual leave, flexible working, final salary pension scheme, life insurance, CPD training and free parking; For further information and to apply, please go to our website www.surreyheath.gov.uk. Closing date: Friday 26th July 2013 Interview date: Week commencing 12th August 2013 Surrey Heath Borough Council is committed to equality of opportunity in employment and service delivery and welcomes applications from all sectors of the community.

GOVERNOR VACANCY
Peterborough Regional College is seeking a governor with financial, audit or accountancy expertise to join its Governing Body, the Corporation Board and to serve on the Audit Committee. The Board is responsible for setting the Colleges Strategic direction and ensuring that the College delivers excellent outcomes to students and the local community. An interest in further and higher education and a commitment to improving the education and skills of young people and adults is essential. This is an unpaid role but will one which oers the opportunity to make an important contribution to a thriving college which is there to serve the local and wider community. If you are interested in finding out more, please contact Ana Lewis, anajlewis@googlemail.com or call 07543 933772 for further details. Closing date 31st August 2013.
Raising Aspirations, Realising Potential & Inspiring Success

Achieve a full professional IIA qualification through a postgraduate study programme with the Centre for Internal Audit, Governance and Risk Management at Birmingham City Business School.
Students attend our DUAL AWARD programme which offers exceptional value for money, through the provision of focused training which yields proven success and delivers a practical and career enhancing experience. We offer a unique programme of training which delivers membership of the Chartered Institute of Internal Auditors, subject to completion of the appropriate experience journal, in one of three modes: full time, block release or flexible learning*. The programme of study provides: - Single assessment for each module using both assignment and examination methods - Teaching that reflects the IIA syllabus at Diploma and Advanced Diploma levels, as well as adding value through real world industry and professional experience - Significant visiting practitioner involvement in the delivery of each module - A cost effective pathway to internal audit career development. Annual course fees for September 2013 and January 2014 enrolments are 7,500 (full time) or 4,500 (part time) and include all learning materials and subscription/examination fees payable to the IIA. For further information, please visit our website: www.bcu.ac.uk/audit or contact us directly on mscaudit@bcu.ac.uk or 0121 331 6595 / 5623.
* Students may opt for a staged entry to study that recognises existing achievements and provides exemptions for relevant professional qualifications and will allow full qualification of CMIIA, subject to completion of the appropriate experience journal.

corporate governance recruitment

London & City Principal Internal Auditor London 3740,500+Bens Regions Senior Internal Auditor Reading To55,000+Bens
This leading global distribution group is seeking a senior internal auditor to join its corporate audit team. You will provide independent and objective assurance around internal controls, procedures, corporate governance, compliance, US GAAP and FCPA requirements. You must have excellent commercial skills, be professionally qualified and have at least 5 years internal and/or external experience. Expect up to 40% international travel.

IT Audit Senior IT Auditor North West To45,000+Bens

A unique opportunity for an ambitious IT auditor has arisen with this successful, growing customer focussed group. Reporting to the Head of IT Audit you will work closely with IT stakeholders to improve the technology control environment and deliver the annual IT audit plan. A first class communicator with energy, drive and a commitment to maintaining a high level of performance is required for this fast paced group.

Audit Risk Compliance Security Legal Treasury

London Edinburgh New York Dubai Hong Kong Singapore

As a result of a promotion this growing local government shared service is looking to recruit an experienced Principal Internal Auditor. You will be expected to efficiently deliver a comprehensive internal audit service, covering the full range of functions across their local authority clients. Ideally you will hold the CMIIA qualification or a recognised accountancy qualification and have at least three years internal audit experience.

Trade Finance Internal Auditor London 5575,000+Bens

This UK subsidiary of an international bank provides trade, structured and project finance to its international client base. They are seeking an internal auditor with strong trade finance experience. Ideally this will have been gained via audit but candidates with strong relevant operational experience who can demonstrate enthusiasm to transfer into internal audit will also be considered. The role will encompass special ad hoc assignments.

Group Internal Auditor Hertfordshire To55,000+Bens

An exciting group internal auditor role has arisen with this successful FTSE group. You will be required to plan, execute and report on internal audit reviews of business units, processes or identified areas of risk exposure across the Group. This is an autonomous role involving varied international travel. You must be able to work on your own initiative, be audit qualified and have at least four years relevant internal audit experience.

Senior IT Audit Manager London c.75,000+Bens

This diverse banking group is seeking an experienced IT auditor to manage the delivery of complex applications led and integrated reviews. You will help provide a service that makes a real difference to risk management by working in partnership with stakeholders and ensuring reviews are delivered on time and in line with quality standards. You should be CISA/QiCA qualified, with experience of managing audits in a large complex environment.

Audit Manager London 7585,000+Bens

This well known investment manager is seeking an experienced asset management auditor to perform front to back reviews covering all trading and other areas of their business. They are a class leader in Liability Driven Investments (LDIs) and also have significant Fixed Income and Equity, Real Estate and Private Equity portfolios. You will manage complex audits in an environment that offers a good work life balance and the opportunity to develop in the business.

Senior Auditor Yorkshire 3050,000+Bens

Our client is a long established and highly successful financial services group. As a member of their progressive internal audit team you will be responsible for reviewing the systems and controls established by management and the Executive. At senior auditor level this will typically entail leading medium scale / relatively complex audits, assisting with the management of the audit team and liaising with senior stakeholders within the business.

Manager Change Audit London To65,000+Car+Bens

Working for the largest specialist change and transformation team in London you will provide assurance on key projects/ programs. Applicants must have experience of project/program assurance and any previous project management experience is highly desirable. You will manage relationships with program directors and project leads and therefore it is essential that you are highly credible and fully understand project lifecycles.

Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW

Audit Manager/Senior Manager London Competitive

Our client is a successful banking group. They are restructuring to better align the internal audit team to specialised business functions. Covering retail banking products and the back office processes associated with these, your remit will include current accounts, credit cards, savings, mortgages, loans and fraud operations. You will have a background in audit or risk management with detailed products experience or a strong operations background. For further details of positions in London/City contact Alexia Demetriou 020 7936 2601 ad@barclaysimpson.com

Assurance Officer Cheltenham To32,000+Bens

This household name general insurer is seeking an assurance officer / internal auditor. You will be joining an established internal audit department and will be required to provide independent, objective assurance and consulting services designed to add value and improve business operations. Financial services or insurance based experience is desirable together with well developed communication and interpersonal skills. For further details of positions in the Regions contact David Jarrold 020 7936 2601 dj@barclaysimpson.com

Senior IT Auditor South West To50,000+Bens

Our client is a specialist financial service provider with an excellent reputation in its market. Working closely with the Head of Internal Audit you will be the sole IT audit resource and will help devise and deliver the annual IT audit plan. To meet the requirements of the post you must be CISA/QiCA qualified with IT audit experience gained ideally from a financial services provider who outsources its IT function. For further details of positions in IT Audit contact Daniel Flynn 020 7936 2601 df@barclaysimpson.com

020 7936 2601

Barclay Simpson Scotland 910 St Andrew Square Edinburgh EH2 2AF

0131 209 7850

bs@barclaysimpson.com www.barclaysimpson.com

Scotland Conformance Testing AVP Glasgow Excellent+Bens

Our client is a global investment bank with an expanding presence in Scotland. They are looking to recruit an experienced Internal Audit Manager to work within a newly created conformance testing team. This second line role will require you to plan and deliver internal controls reviews across all areas of operational, market and credit risk. You will undertake controls testing and make recommendations to improve their effectiveness.

International Risk and Control Manager Frankfurt To100,000+Bens

Our client, an international banking group, is seeking an experienced audit manager to assess and co-ordinate risks within its German subsidiary. This will involve working closely with business managers, external auditors, regulators and other stakeholders to identify all major risks and ensure adequate controls are initiated and maintained. Strong communication skills are required, including German, and also well developed commercial skills.

Nationwide Interim Opportunities

South-Coast London South-East Central London North-East London East Midlands London North London London Internal Auditor Change Auditor Audit Consultant Audit Manager Senior Auditor Audit Manager Senior Auditor Internal Auditor KPI Auditor IT Auditor Commerce Financial Services Asset Management Capital Markets Banking Retail Banking Financial Services Insurance Central Government Consultancy 250 per day 400 per day 500 per day 500 per day To 50,000 pro-rata 350 per day 250 per day 450 per day 125 per day 450 per day

Senior Internal Audit Manager Edinburgh/Glasgow 45,000+Bens

Working in this international consultancy your role will be to deliver a high quality outsourced and co-sourced internal audit and assurance service to clients across the construction, manufacturing and financial services sectors. You will manage a portfolio of work ensuring internal controls are operating effectively and agreeing control improvements with clients where required. Previous consultancy experience would be desirable.

Head of Audit Doha To95,000 Tax Free

This leading Qatar bank wishes to recruit a Head of Corporate and Credit Audit. Based in Group headquarters and managing a mid size team, you will be responsible for assessing credit risk and managing the audits of all corporate credit activity. You will have gained an in-depth understanding of credit risk in relation to corporate banking and feel confident in liaising with senior risk and commercial managers on control issues.

Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte aw@barclaysimpson.com

www.barclaysimpson.com/interimsolutions

Internal Audit Manager Change Edinburgh Excellent+Bens

This is an exciting audit role completing program assurance audits across a wide range of change and transformation programs within this successful retail bank. This role will involve significant interaction with change managers to ensure that potential business risks are identified and internal controls are fit for purpose. You should be able to demonstrate relevant audit experience gained within consultancy or financial services. For further details of positions in Scotland contact Liam Hughes 0131 209 7850 lh@barclaysimpson.com

Senior Internal Auditor Monaco Excellent package

This energy services company is seeking an experienced internal auditor. Undertaking reviews of IT, financial and reporting risk throughout their operations, you will assess the adequacy of controls and propose improvements. Previous experience of auditing within a projects or contracts environment such as oil and gas or construction is preferred. Working in English a second European language would be useful. For further details of International positions contact Marie Marchi 020 7936 2601 mm@barclaysimpson.com

Market Report 2013

Up to date overview of the economy and its impact on corporate governance Sector analysis of the demand for internal auditors Review of salaries Outlook for the future
Download your free copy at: www.barclaysimpson.com

Visit

www.barclaysimpson.com
to access a vast range of free online resources
Search hundreds of audit vacancies Find your current market value Information on where best to live and work Focus on Computer Audit Latest information on qualifications
Barclay Simpson has been awarded the Diversity Assured Recruiter accreditation under the RECs Diversity Initiative.

For more details visit: www.barclaysimpson.com/equalopps

corporate governance recruitment

Senior Internal Auditor

London based with some UK and overseas travel

36,00048,000 + audit allowance

MI5 helps protect the UK against threats to national security including terrorism and espionage. The Internal Audit team plays a critical role in helping MI5 manage its risks effectively and we currently have a vacancy for a Senior Internal Auditor.
Reporting to the Deputy Head of Internal Audit, you will deliver risk-based audits across a number of business areas including operational, security, financial and organisational risks. This is a challenging and varied role and, working alongside MI6 auditors, you will have the opportunity to conduct audit assignments in both MI5 and MI6. Working with stakeholders of all levels, you will have the ability to foster positive and productive working relationships and will act as a catalyst for improvement by exploring current practices, challenging traditional approaches and making value-adding recommendations clearly, succinctly and robustly. A pragmatic approach is important for success in this role. You will be a confident communicator, producing written reports, delivering presentations and conveying technical concepts to non-technical colleagues. You will also need strong data analysis, decision making and problem solving skills and sound judgement. A full audit or accountancy related professional qualification, such as CMIIA or CCAB, and practical, recent experience of delivering a range of risk-based internal auditing assignments within deadlines are essential. You should also have basic project management skills and the ability to assimilate large volumes of information quickly, scope and conduct audits and lead reviews. Experience of working within the security intelligence sector is not necessary as you will be given a comprehensive induction. You will be comfortable working both autonomously and as part of a team. Applicants must be born or naturalised British citizens and normally have been resident in the UK for 9 out of the last 10 years. Discretion is vital. You should not discuss your application, other than with your partner or a close family member. To find out more about us, visit www.mi5.gov.uk/careers Closing date for applications is Monday 29th July 2013.

To request an application pack please contact David Jarrold dj@barclaysimpson.com or Daniel Flynn df@barclaysimpson.com

Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW bs@barclaysimpson.com www.barclaysimpson.com

020 7936 2601

www.barclaysimpson.com