Documente Academic
Documente Profesional
Documente Cultură
Ground control
Kevin Goulding, group head of internal audit at Dublin Airport Authority, on flights, finance, security and duty-free shopping
Fair dues: why its important to keep up to date on discrimination Too close for comfort: how to manage potential conflicts of interest Aint misbehavin: do hotlines for whistleblowers really work?
Are you a professional internal auditor holding either the IIA Diploma (PIIA) or IIA Advanced Diploma (CMIIA)? Are you just starting out in your career in audit?
If so, contact BHBi to find out how the BHBi Triple Qualification could help you increase your professional standing and become more marketable. BHBis Triple Qualification comprises of: CMIIA/PIIA Award Chartered Management Institute (CMI) Level 7 Diploma in Strategic Management & Leadership Chartered Manager (CMgr) status
Chartered Manager is the highest status that can be achieved in the managerial profession. Awarded only by CMI, it is recognised throughout the public and private sectors, across all management disciplines.
If you hold the CMIIA Award or the PIIA Award already, take the fast track route to enhanced CPD and further qualifications and achieve: The CMI Diploma in Strategic Management & Leadership Chartered Manager status If youre just starting out in your career in auditing you can study for your professional qualifications with BHBi and have the Triple Qualification built into your training! This will help you become more marketable, enhance your career prospects and gain access to professional networks whilst also demonstrating a high level of strategic competence and audit and managerial professionalism. For a confidential discussion on how BHBi can help you achieve more from your professional auditing qualification contact: Mark Barnes Tel 07906972147 Email markbarnes@bhbi.co.uk Paul Haley Tel 07973911317 Email paulhaley@bhbi.co.uk
www.bhbi.co.uk/triple-qualification
BHBi has been quality assured and assessed by the CMI to offer the fast track route to enhanced, continued professional development. Offering a wide range of practical professional resources, CMI membership will not only enhance your employability, but help take your professional practice to the next level and beyond.
PREMIER PRACTICE
Contents
28
14
Ground control
Kevin Goulding, group head of internal audit at Dublin Airport Authority, on flights, finance, security and duty-free shopping
18
Fair dues: why its important to keep up to date on discrimination Too close for comfort: how to manage potential conflicts of interest Aint misbehavin: do hotlines for whistleblowers really work?
Published for the Chartered Institute of Internal Auditors byCaspian Media Ltd, Unit G4, Harbour Yard, Chelsea Harbour, London SW10 0XD 020 7045 7500 Editors Keith Ryan keith.ryan@caspianmedia.com 020 7045 7543 Ruth Prickett ruth.prickett@caspianmedia.com 020 7045 7572 Chartered Institute of Internal Auditors info@iia.org.uk www.iia.org.uk 020 7498 0101 Subscriptions membership@iia.org.uk 020 7498 0101 Advertising Ian Mehrer ian.mehrer@caspianmedia.com 020 7045 7596 Creative director Nick Dixon Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited. ISSN 2048-8408.
22
Front
3 The IIA view
From the chief executive, Ian Peters.
Features
14 Holiday maker
Kevin Goulding, group head of IA at Dublin Airport Authority, on local traffic and global duty free.
REGULARS
32 Tools for the job
How to improve the way you communicate the value of internal audit.
5 World view
From Richard Chambers, IIA Global president andCEO.
18 On the level
Why organisations must keep up with shifting views of discrimination.
33 Career development
Top tips for creating a new IA function from scratch.
34 You asked us
Experts answer readers technical questions.
8 Update
The latest news affecting the profession.
36 IIA update
Institute news and membership matters.
10 Conference preview
What to look forward to at the IIAs annual conference.
24 Conflict resolution
Conflicts of interest are hard to spot and can prove expensive to resolve.
12 Reportage
The findings of the 2013 Eversheds Board Report.
40 Student noticeboard
Essential information for exam candidates.
28 Good call?
Whistleblowing hotlines are cheap and popular. But do they work?
We post more news and articles online every week. To access these, visit www.auditandrisk.org.uk
The guidance should help internal auditors to put their points across more consistently and forcefully
Prepare the Audit, The Team, Location, Scope, Objectives, when , questions, notify users and add it to planners. Assign questions to team members. Who can work offline to carry out the audit. Including attachment of supporting documents,scans or images. Create remedial actions for issues that need to be resolved, give ownership and assign with an action by date and track to completion. Produce an Audit report with the click of the mouse, including current state of actions, performance and statistics, everything for the audit committee
14
D WINNING SOFTWARE OF AWAR
www.symbiant.net/audit
When the original COSO framework was published, the internet was in its infancy.
as globalisation and increased expectations for governance oversight. The 2013 framework addresses risks associated with technological advances, incorporates some of the lessons learned over the past decade about fraud, and emphasises that control is about more than just internal control over financial reporting.
Pentana Vision
Modern screen design that operates globally over a range of network speeds without the restrictions of a browser interface Flexible audit planning by entity structure & process Home screen identification of items for your action and review In-built audit methodology and audit report templates Simple deployment and automatic software updates Audit work can be focussed on risks identified from integrated risk registers
Internal audit had its roots in accountancy and finance, so its not surprising that many people in the profession are financially qualified. But what has changed over the quarter century that Ive been working in the risk, audit and governance arena is the ever broadening remit of internal audit.The IIA in the UK and globally has consistently built, developed and upgraded internal auditing as a profession and a brand to be proud of. As a head of function I have to be able to provide a view of risk and control across the business, so I cannot rely purely on the traditional source of internal auditors. In the three major organisations where I have headed the audit function, I have sought people with more diverse backgrounds, experiences, organisations and qualifications.Yes, one does need financial expertise at the core, but I could not meet my remit to the board without bringing in staff from other disciplines as well.This includes encouraging internal transfers from the business and, significantly, seeking IIA or CIA qualified staff. Combining these skills can build a more rounded service. One of the best project auditors I have had so far in my teams was previously an experienced project manager, not an auditor.Their management skills were highly advanced and their experience juggling many demands as a project manager was an excellent grounding for running several audit projects simultaneously. When I was establishing a new team to focus on distribution and operations, I hired an experienced qualified internal auditor from outside the organisation, but also brought in a member
of staff from the business who was steeped in operations. While they knew little of internal audit, their controls and process background dovetailed well with the external hire so we could map business knowledge with risk and control expertise. Adding others with different sector experiences enabled the team to help the business move its control dial significantly. Most of the teams I have worked with have been relatively small, but I have
Having a French man help a Peruvian on an audit in Sweden, and doing it all in English, is a bit of an eye-opener
been privileged to work with people from other countries who can bring different perspectives to these teams. Each persons perspective is one window on a problem and having several perspectives means you can open those windows to produce effective solutions. Having a French man help a Peruvian on an audit in Sweden, and doing it all in English, is a bit of an eye-opener. I joined the Post Office in October 2012 to set up its internal audit department following
its demerger from Royal Mail in April 2012. Post Office is undergoing an exciting and challenging transformational change across more than 11,700 branches the largest retail network in the UK. Its a diverse organisation covering financial services, telephony, insurance, mails, foreign exchange, mail services and government services, so the risks are diverse too. Post Office is also keen to support diversity with the aim of bringing in a range of thoughts and encouraging people from a wide variety of backgrounds with different experiences to build change. As the Post Office internal audit team develops, it will reflect those values.To meet the increasing expectations of the board, the internal audit team needs to be diverse in its thinking and capability. I will always need financial expertise in my audit teams, but it is essential to seek complementary strengths from elsewhere. A team that plays to its strengths will achieve much.
Additional news, features and views are posted online all the time. Go to www.auditandrisk.org.uk to see whats new.
UPDATE
c-suite executives shift views on Risk
Regulatory changes have caused 70 per cent of c-suite executives to make substantial or moderate changes to risk management and reporting processes in the past two years, according to a report by KPMG.
We round up the latest business and regulatory news to affect the internal audit profession.
has warned that IT security standards setter ISACA has issued economic losses new guidance outlining key questions for boards from disasters have spun out of control. of directors to ask to ensure their enterprises is calling on the cloud initiative is in line with business objectives It worlds business and the organisations risk tolerance. community to incorporate disaster According to the white paper, boards should risk management ask whether management teams have a plan for into their investment strategies to avoid cloud computing and if they have weighed the further losses. value and opportunity costs. They should ask To read the how cloud plans support the enterprises latest Global Assessment mission; whether executive teams have Report (GAR13) properly evaluated organisational readiness by the UN Office for Disaster Risk so that cloud processes work alongside those Reduction already in place; and whether management (UNISDR), go teams have considered existing investments to http://bit. ly/13DxZ1A that might be lost in their cloud planning. Lastly, boards need to ask whether the Natural organisation has strategies for measuring and catastrophe tracking the value of cloud return versus risk. risk report Full details: www.isaca.org/cloud-governance Zurich Insurance Groups Natural catastrophes: business risks and preparedness survey has found that companies recognise the potential risks posed by natural catastrophes, yet still have insufficient mitigation plans.
Conference preview
10
REPORTAGE
Risk strategy is now higher on the board agenda and a boards key challenge is how to balance growth and risk, according to the 2013 Eversheds Board Report. The report also highlighted that diversity has risen up the board agenda, of directors saying that diversity on the board is key to good board performance.
61%
12
There is more evidence of positive dialogue between shareholders and boards. The average AGM approval rating for executive remuneration , except in the US packages was over where it was
90% 80.5%.
the average number of directors on the board over the past five years.
8% decrease in
13.4
12.3
directors.
of board directors believe that an effective board should have fewer than 12 members.
93%
72%
Directors are staying in their roles for longer. The global average tenure of directors is 6.7years on the board an increase of 13% in five years. There is a positive relationship between longer tenure and share price over three- and five-year periods.
of directors said that their boards approach to risk had changed in the past two years and it is now higher on the board agenda.
Economic climate
of directors. 58 is the average age of chairmen and CEOs of the top 50 companies.
Directors views on the type of diversity that has the most effect on board performance:
10% cited
gender
The trend is to have fewer executive directors on the board. In 2007 there were 3.2 executives to 10.2 NEDs. In 2012 there were 2.1 executives to 10.2 NEDs. The top 50
companies had 2.4 executives to 8.2 NEDs 22.3%.
13
16%
34%
the overall average decrease. The largest decrease was in Europe (60%) and the smallest decrease was in Australia (8%).
thought that chairmen could enhance the way in which boards engage with different stakeholders.
51%
50%
increase in the percentage of female directors on boards across all regions. However, this is from a low base. The largest increases were in Europe (156%) and in Hong Kong (133%).
The research involved 542 of the worlds leading companies, including the top 100 companies in the UK, Europe and the US, over 120 Asia-Pacific companies, 50 Middle Eastern companies and 30 companies from Brazil. To request a copy of Eversheds Board Report: The Effective Board visit: http://bit.ly/YZtn6n.
14
Holiday maker As the holiday season approaches, most people start thinking about a couple of weeks in the sun. But, as Kevin Goulding, group head of internal audit at Dublin Airport Authority, explains,the season brings more complicated challenges for those running airports.
Words: Neil Hodge Photographs: Mark Nixon
The airline industry has been one of the hardest hit since the global economic crisis gained momentum. While passenger numbers are moving back up to pre-2008 levels globally, profit margins have narrowed for most, and the environment is set to remain challenging for some time, according to the International Air Transport Association, the major industry body. Yet there are always some that buck the trend and succeed where others struggle. Dublin Airport Authority (DAA), which is state owned, but operates on a stand-alone commercial basis, runs Dublin and Cork airports and delivered a solid performance last year.Turnover increased by three per cent to 575m, while profits (excluding exceptional items) grew by 66 per cent to 43m. Group operating costs fell, while passenger numbers rose 8.8 million passengers used the recently openedTerminal 2, which is driving the airports long-haul growth. So far this year, the positive upturn looks set to continue and there are signs that even more people will be jetting to and from the Irish capital over the summer (see box on page 16).
Kevin Goulding, DAAs group head of internal audit, is confident that the airports can cope with the projected surge in demand, and that the necessary controls are in place to ensure that passengers have a smooth journey and that internal audit is not run ragged. Increased capacity and larger passenger numbers are always a risk issue, but the opening ofTerminal 2 a couple of years ago reduced those capacity risks, he says.
Care of duty
But Gouldings internal audit team is working in a business that is far more complex than that of many airports. DAA has three strands to its operations.The most important and resource-intensive of these is running Dublin and Cork airports. In the past few years it has also developed a consulting arm that provides advice to airports that are, for example, planning to develop new terminals, facilities and business opportunities.Third, over the past 50 years, it has developed an enviable sideline in duty-free/duty-paid shopping with its retail business Aer Rianta International (ARI), one of the worlds largest airport
Increased capacity and larger passenger numbers are always a risk issue, but the opening of Terminal 2 reduced capacity risks.
15
Bidding for duty-free contracts is big business for DAA and the organisation keeps an ear to the ground for new opportunities
duty-free and duty-paid retailing companies with an interest in 24 airports in 14 countries. During 2012 ARI generated profits of just over27m. It saw strong sales growth in the Middle East and in India, where annual sales at its Delhi Duty Free passed US$100m for the first time. ARI also opened its first Chinese stores in 2012 and has recently been selected as the preferred bidder for the dutyfree business at Mumbais newTerminal 2, which means that ARI will be operating the key duty free outlets at Indias two main international gateways.This will give DAA a very strong position in one of the worlds most important growth markets. As a result, Goulding says that internal audits work is increasingly involved with the way that the business is expanding internationally. Bidding for duty-free contracts is big business for DAA and the organisation keeps an ear to the ground to find out when a new opportunity might become available. Our work involves providing assurance on financial statements. In order to win these contracts, the organisation has to give guarantees and provide sound financial forecasts on the amount of revenue and customers it can bring in. We need to check the information behind those figures, he says. His team will audit the activities of each ARI subsidiary every two to three years. This process is complex for a number of reasons. First, it is a question of resources. We have a small team so we need to ensure that resources are deployed in the most effective way possible.The other issue is that many of the ARI operations are joint ventures, and we may need to agree a right to audit with the other party. Added to that, joint venture partners may have their own internal audit teams and external auditors, so sometimes we can leverage off their work, he explains.
Fully automatic
Another area of financial risk for internal audit relates to loss of revenue or revenue leakage . The financial controls we have in place are robust and the business model we use has been established for a long time, so we are aware of the risk profile, says Goulding. However, some of our invoicing involves a degree of manual input and that is a concern.The business is trying to automate more of these processes, and internal audit is monitoring progress, he says. IT risk is already at the heart of his teams work. Our business is very IT-driven, he says. There are around 180 different types of IT system across the organisation; everything from the usual desktops to check-in terminals, CCTV, security scanners and arrival and departure monitors. We have identified about 25 of these as critical. We have to make sure that these systems will work and that there is a back-up process we can switch to very quickly if anything goes wrong. Business continuity is a major focus for us. To ensure that the risk of IT disruption remains low, internal audit has a policy of communicating the importance of patch management throughout the organisation.
It is hugely important that everyone is using the latest and safest versions of software on their systems, so the IT department sends out communications notices to remind people to install the latest patches made available by software providers to get rid of any vulnerabilities, he explains.
16
in class . That experience shaped the way that I think about internal audit a lot. My then boss always looked at what value internal audit could add to the business and he put a strong emphasis on having different skill-sets, and I share exactly the same view, he says. He took up the role of group head of internal audit at Dublin Airport Authority (DAA) in January 2012. Before this he spent over seven years at Kingspan Group, which provides environmental, construction and renewable energy products. He enjoyed this job, which included setting up the internal audit and risk-management functions, but a seven-week spell in hospital after a routine appendix operation went wrong and nearly killed him put the constant travelling into perspective. Around 96 per cent of Kingspans business was outside Ireland, so my work involved a lot of air travel. I felt like George Clooneys character in the film Up in the Air I always seemed to have a bag packed and I was constantly living out of a suitcase, collecting air miles and hotel booking points. My near-death experience put my lifestyle into perspective, and I thought Id look for a new challenge that kept me close to home, he says. One of Gouldings first tasks when he took charge of the internal audit function at DAA
was to make personnel changes within the existing staff. Over the previous three to five years some of the more experienced internal auditors had left the organisation to take up opportunities outside DAA.They had been replaced by personnel from other parts of the business with less traditional auditing experience, but with a great knowledge of the operation, he says. While their technical knowledge of the business was a huge asset, some of the team did not have all the requisite formal audit training and qualifications. Some of them had also been moved into the audit function temporarily and had stayed in the team longer than originally planned, so it was time to find new roles for them in the business. My approach is that the internal auditing department should be a springboard for new talent whereby recently trained and qualified auditors are brought into the organisation, and then move out into the business after about two years in audit, he explains. The redeployment took longer than expected, but Goulding says that he now has a team of five, including four qualified internal auditors. He is currently looking for an IT audit manager plus another internal auditor to focus on the international side of the business.This will make the team about the right size for the organisation and quantity of work that we are doing , he says.
His longer term plans could also involve internal audit working more closely with external teams. While he does not have a co-sourcing arrangement in place with any third-party provider at present, he concedes that he may look more closely at this option as the international side of the business grows.This could be particularly useful where the team needs local language skills, he points out. He also wants to build up the relationship internal audit has with external audit for their shared mutual benefit . In my last role at Kingspan we carried out a number of joint audit assignments across the US business with the external auditor so that skills and experience were pooled and costs were reduced. In effect, for certain locations I ensured that the requirements of the external audit programme were fully covered by the internal audit programme and that work papers were robust enough to be relied on by external audit, he says. It is more difficult to create that relationship here because external audit is statutory, there are issues surrounding independence and safeguards would need to be established. However, there can be real benefits from sharing certain work to minimise duplication of effort and to ensure there is sufficient leverage off internal audit work, he adds.
17
Despite the changes so far, UK laws may not yet have caught
18
What is discrimination? It depends on what the law says and on what your staff and customers think it is. New legislation can lead the way by prompting organisations to change the way they act and imposing penalties on those seen to be discriminatory, but it is not the whole story. Diversity and discrimination are two sides to the same coin and the opportunities as well as the risks continue to evolve.
Words: Alice Hoey Illustration Paul Blow
On the level
When the new Mental Health Discrimination Act came into force in April 2013, it changed relatively little most significantly for businesses, it revoked a previous provision that prevented people from serving as company directors on account of their mental health problems but it was symbolic. It addressed the last significant type of discrimination in our society today, mental health. The UK has had laws to protect individuals from discrimination on the basis of gender and race since the 1970s, with protection expanded in the 1990s to include disability. Since the turn of the century, religion or belief, sexual orientation and age have also been added to the legislation. The most significant legislative change, however, was the introduction of the Equality Act 2010, which brought all the discrimination laws under one statute and gave them equal weighting. It also expanded existing protection to include marriage and civil partnership, pregnancy and maternity, and gender reassignment.
Developing diversity
Despite the changes so far, UK laws may not yet have caught up with societys desire for equal opportunities. There is, for example, some recognition by the public that discrimination based on factors such as social class exists, says Dan Robertson, diversity and inclusion director at the Employers Network for Equality and Inclusion, but the legislation on this issue is absent . The debates over diversity are far from over and can evolve
The UK has had laws to protect individuals from discrimination on the basis of gender and race since the1970s
quickly. Londons prestigious Imperial College recently withdrew its offer of a short internship in its science labs from a fund-raising auction at Westminster School after there was an outcry on scientific blogs and among its own students, who protested that internships should be available only on merit, not for A-level students with the richest parents. Similar concerns have been raised more broadly about unpaid work placements in large organisations, which are seen to give an advantage to people whose parents are willing and able to support them while they work. Meanwhile politicians, church leaders and pressure groups across Europe have been hotly debating the issue of whether gay couples should be allowed to marry the first French same-sex couple married in May, while the UK and German governments are struggling to find solutions that are acceptable to groups with strongly held opposing views. Other nations also influence the development of UK legislation, says Karen Jackson, a partner at DID Law, which specialises in disability discrimination and workplace health issues. Some Scandinavian countries have taken the lead on the issue of gender equality in the boardroom. In Denmark, for example, they now have quotas as part of their effort to even out the gender balance at the top levels of large companies, she says.The US tends to be at the extreme end of the curve. For example, it has legislation protecting against genetic discrimination, where an
19
The ability of digital channels such as Facebook and Twitter to enable people to express discriminatory opinions or tell ill-timed, insensitive jokes is also affecting employers, who can be caught in the fall-out when staff hit the headlines
20
employee is tested for a predisposition to genetic disease. This issue may become more important in other countries if such tests become more widely available. The ability of digital channels such as Facebook and Twitter to enable people to express discriminatory opinions or tell ill-timed, insensitive jokes is also affecting employers, who can be caught in the fall-out when staff hit the headlines.The recent appointment of Paris Brown, a 17-year-old hired as Kents first youth police and crime commissioner, fell apart when her silly, inflammatory tweets came to light. After several days of media attention and considerable embarrassment for the Kent police and crime commissioner who had hired her, Brown stepped down.The tweets were not seen as a criminal offence, but the authority was criticised for failing to check the candidates online media profile. Emails can also provide evidence of discrimination. In the mid-1990s a woman who worked at a City bank brought a sex discrimination case against her employer and used personal email comments by colleagues and bosses as evidence. Few people were probably surprised at the time that some male bankers had sexist attitudes but the case was notable for the way in
which it highlighted an emerging risk from internal emails. But, according to Jackson, the UK government has little appetite to increase anti-discrimination protection at present. She says that she has seen a fall in the number of claims relating to sex and race. This is partly because the law around these has had longer to bite, but also because most employers are on side with these laws, understand them and provide diversity training around them, she explains. However, she is seeing more employment tribunals on the grounds of disability and age discrimination.This is unsurprising, she says, given the ageing population and the abolition of the default retirement age. In future, she warns that organisations may need to pay more attention to other areas of discrimination that have had a lower profile in the past. Religion and belief have had quite a high profile in the media, with cases such as Eweida v BA and the B&B owners who turned away a same sex couple hitting the headlines. Employers ought to be tuned into this, she says.
Keeping step
Internal audit plays an important role in ensuring organisations have the proper
procedures to assure against these risks. Most important, according to Alistair May, affiliate member of the IIA and head of internal audit at the Scottish Government, is assurance that the issues identified are being taken forward positively and that successful outcomes are achieved. The key risk, he says, may be that the hoped for outcomes do not materialise, which would be particularly disappointing for both ministers and management. Discrimination has been a priority for the Scottish Government. Most recently, following the Equality Act 2010, Scottish ministers made regulations placing specific duties on Scottish public authorities to enable the better performance of the public sector equality duty, May says. One legislative result of this focus was the offensive behaviour at football and threatening communications (Scotland) bill, which was passed in December 2011 and aims to tackle particular problems in Scottish football and society. The Scottish Government is required to carry out an equality impact assessment when new policies are introduced. As internal auditors, we are sometimes asked to provide advice on the development of new policies and this is one of the key areas
What are the risks of failing to comply with equal opportunities and discrimination laws? One problem with antidiscrimination laws is that they can attract unscrupulous claims, says discrimination lawyer Karen Jackson, who has defended many employers against employees who see a performance-linked dismissal as discrimination. The best way for businesses to protect themselves is to ensure they have a thorough and well-documented policy but, more importantly, to police that in the workplace, crack down on unacceptable behaviours (especially among managers
who should be setting the tone) and provide regular training around the issues. Training is essential, partly because people dont always realise they are acting in a discriminatory way. Businesses also need well-documented and fair HR procedures to back up their actions and decisions. It is alarming how often HR representatives make procedural errors that land their employers in hot water, says Jackson. While this can be easily remedied with the right processes
keeping a paper trail of documented meetings, phone calls and discussions many organisations fail to put these in place. Employers often cant demonstrate that they considered a decision, because it happened during an informal chat between managers and HR and there is no record, she says. While records such as file notes are useful, email should be limited because it can leave a trail of incriminating evidence and employees can ask employers to provide data
about them under the Data Protection Act. Simple HR procedures, properly followed, can protect against claims of unfair dismissal on the basis of discrimination. For example, organisations must follow the right steps in the dismissal process they shouldnt go from a first informal chat to a dismissal without giving the employee warnings or help to improve. Witnesses at meetings are also a good idea, says Jackson. In employment tribunal proceedings contemporaneous written evidence will almost always be preferred over an individuals word.
Londons prestigious Imperial College recently withdrew its offer of a short internship in its science labs from a fund-raising auction at Westminster School after there was an outcry on scientific blogs and among its own students who protested that internships should be available only on merit, not for A-level students with the richest parents
we look at to ensure it is being addressed properly, May says. Legislative changes have not necessitated changes to internal audit procedures, because, May says, the governments systems, processes and culture have evolved to reflect changes in attitudes and behaviours and new priorities. For example, Scottish Government employees have a mandatory requirement to set a personal objective linked to diversity.This can be to do with working relations or conditions, developing processes or promoting policies. Some auditors can link their diversity objective to some of their audit assignment work where there is a natural alignment, he explains. Internal audit has had specific input in developing the Certificates of Assurance (CoA) process, he adds, which requires all deputy directors to complete a selfassessment checklist. The internal auditors were at the forefront in introducing the CoA process.This is now being reviewed and some of the diversity assurances it contains may need to be refreshed. We refer to these checklists in the course of related audit assurance work and look for evidence to support the self assessments declared.
The up side
It is easy to focus on avoiding the risk of discrimination and, ultimately, a legal battle. More positively, there are real benefits for organisations that embrace greater diversity. There are studies, specifically by McKinsey and Catalyst, that show a correlation between increased diversity and improved quality of decision-making, while a number of studies also link a higher representation of women on boards with
business performance, says Robertson. Whats more, treating people fairly has a positive impact on the psychological contract and thus improves productivity and profitability.There are also benefits to being seen as an employer of choice, he adds, pointing out that the post-babyboom generations put a diverse workforce high on their wish-list for employers. While most companies focus on discrimination as an employment issue, its worth remembering that in many cases a companys staff are also its customers, local ambassadors and frontline communicators. One IT company in the US found that customers reacted better when they diversified their engineering teams by recruiting people from a wider range of backgrounds and training them internally. Sending people who reflected the range of people who worked in their customers offices, rather than a team entirely made up of white men who all had the same qualifications, meant that customers felt they could ask more questions and gained better service. Supermarkets and DIY stores that have made an effort to recruit older staff have found that these employees are often better informed about products and more committed to their jobs than much younger staff, who see the job as a stepping stone to something else or a short-term option, although older workers may be less able to take on heavy physical work. Older customers often appreciate being able to talk to someone more like themselves who understands their needs. You dont need to spend much to ensure your company is an equal opportunities employer.The average cost of putting basic procedures in place is less than 1,000, according to the Employers Network for Equality and Inclusion. As new issues come to the fore and attitudes in society shift, there is scope for further changes and emerging risks. Organisations and internal auditors need to stay on their toes.
21
Professor Robin Pritchard explores the meaning of the universe in internal auditing terms.
ne of the questions I am regularly asked in my professional and academic capacity is how I quantify my organisations internal audit universe. To this my reply is usually: Well its good to be an internal auditor rather than a scientist. Professor Brian Cox writing in the Wall Street Journal in April 2013 explained: Quantum theory tells us that the universe we experience emerges from a bewildering, counterintuitive maelstrom of interactions between an infinity of recalcitrant sub-atomic particles. Believe me, defining the internal audit universe is much simpler than that, although the principles may well be similar. The definition of internal audit quoted in the International Professional Practices Framework (IPPF) gives us a clear steer that we should be concerned with an organisations operations; in other words, everything that our organisation encompasses and interacts with. In such terms, both the quantification of the scope of operations and their review clearly represents a massive task, but if we do not attempt to consider the entirety of the whole, how can we decide where we should focus our attention? So the issue becomes not what is the size of the universe? , as this is a simple if exhaustive exercise, but rather what is the extent of the focus for our internal audit plan in strategic and operational terms? . I therefore offer two views of how a head of internal audit might advise an audit committee over the components of the internal audit plans. The increasing prominence of governance statements and the requirement for transparent reporting of significant risks provides guidance that what matters is the assurance needs of internal and external stakeholders.The aim of the board is to deliver a clean opinion on the position of the organisation. It needs to know whether internal audit is able through its periodic and annual reporting to deliver an assurance report that supports such a statement. This should direct the focus of our internal audit plan. Can we provide assurance opinions in relation to what the board would not wish to report, presumably covering a triple bottom line of sustainability, corporate social responsibility and financial performance? We might consider this as the corporate dashboard .
If we do not consider the whole, how can we decide where to focus attention?
World-class internal audit teams are multidisciplinary and reflect the nature of the organisation
}
executive or operational management. The significant question for heads of internal audit is, therefore, whether you are engaged with this level of strategic risk within your organisation. If so, do you have the appropriate level of resources and skills to deal with risk issues that will arise across the spectrum of activity that your organisation encounters? I believe that world-class internal audit teams are multidisciplinary and reflect the nature of the organisation, with audit staff also being appropriately trained in internal audit practice so that they can fully associate themselves with the fundamental responsibilities of the role. We should therefore focus not on the whole universe, but on the most relevant aspects of it to help our organisations achieve objectives by delivering assurance that systems of control, governance and risk management are appropriate. Professor Robin Pritchard is head of the Centre for Internal Audit, Governance and Risk Management at Birmingham City Business School. He is chair of Severnside Housing and manages his own consultancy, Ra Business Services. For IIA guidance on the audit universe visit www.iia.org.uk/audituniverse.
A different way to approach this could be to look at where the board gets assurance from this is a pre-requisite of governance codes and the IPPF (standard 2050).This requires analysis of the three lines of defence, in which inherent and residual risk are assessed, before management can provide assurance over the operation of procedures. At this stage we can assume that residual risk is likely to fall into one of three categories: Deep purple an unacceptable level of risk remains, which is above the risk appetite of the board. Purple the level of risk exposure requires constant monitoring by executive management. Violet a level of risk that is unlikely to cause business disruption. Such analysis of the risks can be transposed into three areas of internal audit activity. At the deep purple level management will implement solutions to bring risk exposure within the risk appetite of the board. Internal audit activity is likely to be of a consultancy or advisory nature. In the purple area there is a control risk line where, if key controls failed, the organisation would be exposed to unacceptable or even catastrophic risk.This is where internal audit needs to provide assurance-based work as a third line of defence. The violet area is likely to feature operational activity.Therefore some compliance audit may be appropriate to reassure the board about the continuity of control and to contribute to overarching opinions relating to control, governance and risk management. The essential aspect of the internal audit plan is therefore risk-based, featuring not only the areas of perceived greatest risk, but also key controls within them. These will be the areas that the head of internal audit will recommend to the audit committee for attention, since this will directly support the governance statement. Areas where consultancy or compliance audit may be required are likely to be at the request of
23
I mpac t o n b u s in e s s
Major 3
Moderate 2 Minor 1
12
1 Almost Never 1
2 Unlikely 2
3 Likely 2
4 Almost Certain 4
li k e li h o o d o f o ccu r r in g
Acceptable level of risk subject to regular monitoring Risk management measures need to be put in place and monitored Unacceptable level of risk exposure, which requires extensive management
24
When the Financial Services Authority (FSA) fined fund manager Martin Currie 3.5m in 2012 for failing to manage a conflict of interest between clients, it was a sign of heightened regulatory scrutiny of asset managers approach to managing such issues. In November last year, the FSA sent the chief executives of every UK asset manager a letter asking them to confirm that their firms had adequate conflict procedures in place. And, under the guise of the new Financial Conduct Authority (FCA), it is now said to be considering multi-millionpound fines for fund managers that use investors money to pay investment banks for access to the CEOs of their corporate clients (reportedly up to $20,000 an hour). But conflicts of interest can occur in all types of organisation. For example, the Financial Reporting Council (FRC) recently announced two investigations into the audit arm of KPMG over possible conflicts. And last October the European Court of Auditors found that a number of EU agencies, including the European Food Safety Agency and
the European Medicines Agency, had failed to manage conflict of interest situations adequately.
Sources of conflict
Conflicts of interest can occur in a wide range of situations.They might involve a clash between an employees personal interests and those of their employers customer or stakeholder. Gifts and entertainment are obvious examples, whether it is a case of a head of procurement being paid to fly around the world to attend a prestigious sporting event by a supplier trying to sell them services, or a local councillor accepting a bottle of champagne from a company and subsequently sitting on a panel deciding whether to award them work. Or it could be an individual holding shares or having another financial interest in a client, supplier or competitor. Other types of conflict occur between the interests of different clients.This is a particular problem for law firms, which are prohibited by the Solicitors Regulation Authority from acting for a client whose interests
Conflict resolution?
Words: Peter Curtis
While it might seem obvious that an MP should not accept cash from lobbyists to ask questions in Parliament, some conflicts of interest can be hard to spot and depend on an individuals role as well as the sector they work in. So how can internal audit help firms to be on guard?
Conflicts of interest might involve a clash between an employees personal interests and those of their employers customer or stakeholder.
25
{
IAs need to be aware of a recent change to Financial Reporting Council standards for external auditors that will affect how the two sets of auditors can work together. Direct assistance where external auditors take IAs into their audit team for a period of time will now be prohibited. Its a move that has been taken precisely to avoid conflicts of interest and a lack of independence , explains Melanie McLaren, executive director of codes and standards at the FRC. Clearly an internal auditor who is
Issues for councils are typically around property and procurement for officers and planning for council members
26
clash with those of another client or of the firm itself. As a result, many now have teams dedicated to detecting potential issues. Concerns over a lack of independence can also be a problem for external auditors. In May, the FRC which sets ethical standards to ensure their objectivity and impartiality published its annual report into audit quality inspections. While it highlighted an improvement in the overall quality of external audit work, it also found that firms should reassess the adequacy of their independence and ethics procedures and the training they provide to staff at all levels. In one case, a former executive of an audited organisation rejoined its audit firm as a partner, but failed to dispose of a shareholding in the organisation for several months, in breach of ethical standards. Whatever the nature of conflicts, there can be regulatory consequences for failing to manage them appropriately. Company boards have a statutory duty under the Companies Act 2006 to avoid conflicts of interest, while the UK corporate governance and stewardship codes (overseen by the FRC) place a range of requirements on boards and investors for handling independence and potential conflicts on a comply-or-explain basis . The Bribery Act 2010 has increased scrutiny over employees accepting gifts and entertainment.The professions also have
their own ethical codes and systems of regulatory oversight. But legal problems are not the only danger from conflicts of interest theres also the risk of reputational damage. Angela Robertson, general counsel at Eversheds, notes: If a law firm takes on a piece of work for a client and a conflict of interest is subsequently identified, it could severely damage or even kill that client relationship. In some sectors particularly those where clients are sensitive around conflict issues it could have repercussions across the industry, because word would get out to others. Obviously theres a risk of adverse publicity, particularly in the legal press.
I think some internal audit teams think that getting 100 per cent completion of those forms is all you need to do. But that doesnt mean there arent conflicts of interest managers may be unaware of them or knowingly leave them off forms because it might ruin relationships they have with contractors. Issues for councils in general are typically around property and procurement for officers and planning for council members. Laurie says that Wokingham runs governance training sessions for newly elected councillors. If a council member is sitting on the planning committee hearing a planning application from one of their neighbours wanting to build a conservatory in their back garden, should they declare it? They should and thats the kind of practical example we try to give. In the legal sector, a lot of conflict management relies on processes and technology, explains Robertson. As well as being responsible for conflict management at Eversheds, she previously set up the global conflicts team at Clifford Chance after it had undergone two mergers. Every single piece of new work for a client, whether new or existing, had to go through the central conflicts team to identify whether there were any legal or commercial conflicts of interest, she explains.
Whatever the nature of conflicts,there can be regulatory consequences for failing to manage them appropriately
A law firm needs a good conflicts database containing details of all its current and historic clients and cases, she adds. You need to be able to identify what work youve done for which client over a period of time. Youve also got to have a good, clear process that everybody is aware of, so that you dont start acting on a piece of work for a client until youve checked with the conflicts team, assuming you have one. But lawyers must also be trained to understand the importance of giving the correct information to the conflicts team, she adds. A conflicts system relies on people using it properly and inputting the right information. Getting the right culture and governance framework is also an important issue for asset managers and reflects the FCAs focus on consumer protection, believes Amanda Rowland, the partner who heads up PwCs asset management regulation team. If senior management are getting the right information and are fully engaged, and the culture is right within the firm, all of these issues whether conflicts or anything else that affects consumers and products will be handled better, she says. While she believes that most firms would say that they were managing conflicts of interest in a way that they felt was
appropriate , the regulatory expectation has shifted and the level of attention from the regulator has clearly concentrated minds . Since then, firms have been looking at their written policies and procedures and ensuring they have appropriate control mechanisms for declaring, registering or managing conflicts. But there are still grey areas particularly relating to concerns raised by the FCA over the way asset managers buy research and trade execution services on behalf of clients. Clearly theres the potential for conflicts.The question is whats the best way to deal with that, while at the same time leaving asset managers with access to the best quality research that enables them to make the best decision for their funds and provide the best service for their customers. The matter is the subject of an ongoing discussion between the regulator and the industry, she adds. So whats the role for IAs in terms of managing conflicts of interest? As part of our internal audit plan, well carry out a review of declarations of interest for officers and members, says Laurie. We dont look just at the completion rate, but whether they are consistent with our cumulative audit knowledge and experience. If they arent, we can flag it up. Its also important for a head of internal audit to lead by example and be very transparent about any perceived or actual conflicts of interest that they face themselves, he adds. USEFUL resources OECD guidelines for managing conflicts of interest in the public sector: http://bit.ly/15B4Yot FSA paper on conflicts of interest between asset managers and their customers: http://bit.ly/13lfboW Hargreaves Lansdown conflicts of interest policy: www.hl.co.uk/conflicts 3M conflicts of interest policy (US): http://bit.ly/11YFsLy Companies Act 2006 a directors duty to avoid conflicts of interest (Pinsent Masons): http://bit.ly/18OjTxw
27
Good call? For the past decade hotlines have been the
indispensible favourite form of early warning system for companies in all sectors anxious to spot the first signs of all types of wrong doing. Not only is a hotline a universal talisman against evil, it pleases the regulators and impresses investors. But do they really work? Probably not, if no one ever calls them. So when are they effective and what can you do to ensure they live up to companies great expectations?
28 Words: Nick Waldron
The corporate collapses of the late 1990s and early 2000s led to a proliferation of internal hotlines for reporting wrong doing. Companies worried about similar catastrophes saw hotlines as an early warning system that would enable them to address problems internally before they grew out of control and were exposed externally. Hotlines are cheap to install, are considered best practice and are even mandated by legislation for particular types of business operating in certain countries. The success of hotlines at detecting fraud is widely reported. In its 2010 Report to the Nations on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners found that: Hotlines were the control with the greatest associated reduction in median [dollar] loss, reinforcing their value as an effective anti-fraud measure. Hotlines also have the support of some business heavyweights. In one of his chairmans letters for Berkshire Hathaway Warren Buffet stated: Berkshire would be more valuable today if I had put in a whistleblower line decades ago. So, if hotlines are cheap, effective, recommended as best practice and sometimes mandatory, their implementation is presumably a no brainer? Well, not quite. There is some disquiet in organisations that have implemented hotlines. A post on the IIAs discussion forum by Guvnor Hans stated that his organisations whistleblowing policy had been running for two years and had not had a single response. He posed the rhetorical question: Does this mean that everything is OK inside the organisation, or that the scheme to prompt people to report wrong doing has failed? The ensuing thread indicated that other auditors had similar experiences with their organisations hotlines. Is it conceivable, then, that the hotline is not always the cheap, effective wonder drug it seems, despite being prescribed widely to fight wrong doing in all its various forms on all fronts since the beginning of the century?The success of hotlines at detecting fraud in large organisations is borne up by the statistics, but are hotlines effective at detecting or deterring other types of wrong doing in other types of organisation in other countries and cultures? This question prompted us to try to determine the effectiveness of whistleblowing
hotlines in detecting and deterring various types of wrong doing across a range of organisation types, sizes and sectors in different countries and cultures. We conducted an internet survey from May to September 2012, which received 137 usable responses (some of which were followed up with interviews). Of these responses, 87 had some form of whistleblowing hotline in place, although use varied in different organisations. The first problem to overcome when assessing the effectiveness of a hotline is
One interviewee cynically suggested that his employer had set up a hotline and then failed to man it to avoid detecting wrong doing
what to use as a measure of effectiveness. In order to determine both the metrics against which to measure and the targets to aim for within those metrics, hotline operators need first to establish what they are hoping to achieve in setting up a hotline. If, as 18 per cent of survey respondents indicated, the aim is to meet a regulatory requirement, the mere presence of a hotline achieves the objective.The risk is that hotline implementation becomes an end in itself. One interviewee cynically suggested that his employer had set up a hotline, but had then failed to man it in order to avoid detecting wrong doing channelling complaints into a black hole.This view was echoed by PriceWaterhouseCoopers 2011 report Corruption and Conflict of Interest in the European Institutions:The Effectiveness of Whistleblowers which stated: It appears that the EU institutions are looking to avoid negative news rather than intrinsically seeking to promote correct and transparent culture.
Diligent hotline operators are likely to require more from the hotline than its mere presence.They might expect, for example, an increase in the detection of wrong doing or a decrease in wrong doing itself.They then need to measure the achievement of such objectives. One obvious measure of effectiveness is numbers of reported incidents.These figures are used in, for example, reporting hotlines success in detecting fraud. However, used in isolation, incident numbers may not be an appropriate measure of effectiveness. For a start, numbers of reported incidents are often too low to demonstrate quantifiable improvements in control.The survey showed that during 2011, 52 per cent of respondents received ten or fewer calls. Small numbers of reported incidents may hamper meaningful trend analysis, but do not necessarily indicate that a hotline is ineffective. In its Whistleblowing Code of Practice, the British Standards Institution argues that one single, well-founded concern can more than justify the modest expense that whistleblowing arrangements incur . Moreover, some reported incidents may be frivolous calls or calls that cannot be substantiated with evidence, particularly when hotlines accept anonymous calls (92 per cent of surveyed hotlines). One survey respondent stated: Most of the reported incidents turn out to be unsubstantiated and many of the anonymous allegations are malicious or vexatious. The survey found that hotlines accepting anonymous calls receive more calls than those that dont. However, 23 per cent of respondents indicated that only ten per cent or fewer of the calls they received offered evidence of actual wrong doing.The remaining 90 per cent are what Miceli, Near and Dworkin refer to as noise in their study Whistleblowing in Organizations. Furthermore, a simple rise in the number of reported incidents may not be a good
29
30
indicator of a hotlines effectiveness. If the hotlines objective is ultimately to deter would-be wrongdoers, the hotline operator might hope for an initial rise in reported incidents as potential whistleblowers gain the confidence to take the plunge, followed by a decrease as would-be wrongdoers realise they might be punished.This ideal trend was observed by only between one and eight per cent of respondents for personnel-related incidents and security/ confidentialityrelated incidents respectively. As the ideal trend was observed only rarely, the research used any increase in the amount of detected wrong doing, together with the opinions of respondents, as measures of effectiveness.The results were analysed by geographical region, by organisation size and by organisation type (charts 1 and 2). The first indicated that survey respondents across all geographical regions have largely positive impressions of the effectiveness of their hotlines. Interestingly, respondents from regions where whistleblowing is well established and supported by comprehensive legislation
(Australasia, North America and the UK and Ireland) were less positive than those from other regions, possibly because of longer experience, or as a result of resistance to wider ranging legal requirements in those regions. In this analysis the largest increase in the detection of wrong doing was in fraud. However, in 33 per cent to 54 per cent of responses (depending on region), there was no increase in fraud detection. When it came to other types of wrong doing even more respondents said they saw no increase in detection. Analysis by type of organisation also showed that positive impressions of hotline effectiveness are more widespread than increases in the detection of wrong doing. It is interesting to note the relative opinions of the effectiveness across different organisation types. International organisations have a 100 per cent positive perception of their hotlines effectiveness (albeit for a small response population), possibly because of more recent implementation. Not-for-profit organisations have the second highest perception as well as the highest increase in the value of detected fraud the two findings
may be linked. Respondents from government have a slightly more negative opinion of the effectiveness of their hotlines than those in other sectors, possibly because hotlines have been imposed on them. Analysis by organisation size shows that perceptions of a hotlines effectiveness are generally higher than actual increases in detected wrong doing.The exception to this is in the largest organisations, where increases in detection rates are significantly higher.There is almost no increase in detected wrong doing following hotline implementation in organisations of 101-1,000 employees, where opinions of effectiveness are also lowest. Apart from fewer employees reporting fewer incidents, it may be that the intimacy of a small organisation increases the risk of confidentiality breaches, or leads to lenient sanctions so people believe reporting is risky and not worthwhile. A more positive interpretation is that team spirit in small organisations leads to less wrong doing. Either way, for the small organisations surveyed, hotlines were ineffective at
increasing detection of wrong doing. Overall, positive opinions of the effectiveness of hotlines range between 70 per cent and 100 per cent, whereas increases in the detection of wrong doing generally range from zero to 60 per cent. So survey respondents have a more positive impression of the effectiveness of their hotlines than is borne out by detection rates. Some survey respondents indicated that their hotline was implemented to meet their corporate responsibility requirements and that effectiveness need not necessarily be determined by an increase in the detection of wrong doing. Others felt that a lack of calls indicated ineffectiveness. One respondent stated: There has been no measurable difference in wrong doing being reported or uncovered since the hotline has been introduced. In terms of increased detection or deterrence, the small numbers of valid calls make it difficult to quantify hotline effectiveness in all but the largest organisations. In its Good Practice Guide on Speak Up Procedures the Institute of Business Ethics says that,
There is almost no increase in detected wrong doing following hotline implementation in organisations of 101-1,000 employees.
without comprehensive records, it is impossible to measure the effectiveness of whistleblowing mechanisms.This leaves hotline operators with a dilemma best practice is to keep records to measure effectiveness, but they have very few cases on which to hold data.This brings us back to how we know if the hotline is working when no one calls it? Various data can be gathered by operators to measure a hotlines effectiveness. Where incidents have been reported, they should retain detailed records of the validity of the report, the response and resolution time and the outcome (eg, sanctions, policy change, internal control improvements). Arguably more useful than this quantifiable information, is the opinion of the whistleblower (although this might not be possible if the caller is anonymous). Was their case handled fairly and in good time? Was the outcome reasonable? Was confidentiality respected? Were they kept informed? Did they suffer retaliation? The success of a hotline depends on whistleblowers coming forward. It can take a long time to build confidence to report and this can crash quickly if users have bad experiences. Without
% of total responses
user confidence, the hotline is dead and without comprehensive records the operator may not know it is dead. Measuring hotline effectiveness need not, however, be limited to data on reported incidents. Staff surveys can gauge opinion of hotlines. Questions should not be restricted to are you aware
of the hotline? , but should ask would you report wrong doing that you witnessed? , and if not, why not?You could benchmark against similar organisations hotlines using reports such as the 2010 Corporate Governance and Compliance Benchmarking Report by BDO Consulting andThe Network to measure your hotlines relative effectiveness. To measure the effectiveness of the hotline as a deterrent, you need comparisons of before and after data related to the consequences of wrong doing (eg theft data, costs of legal cases or information leaks). Credibility is crucial. An ineffective hotline that is seen as window-dressing can increase staff cynicism towards management and is likely to damage rather than help the fight against wrong doing. It is vital that hotline operators are clear about what they want to achieve, and then actively monitor (by recording and analysing detailed records) the achievement of their objectives. It may be complicated to measure effectiveness, but without constant monitoring,
measurement and adjustment, the hotline is doomed to fail. Nick Waldron CMIIA is internal auditor at the European Space Agency headquarters in Paris.
31
60 40 20 0
69%
76%
1-100
staff
1001,000
1,00110,000
80 60 40 20 0
FOR MORE INFORMATION To read full versions of the tables shown above visit www.auditandrisk.org.uk
Quantifying quality
Its easy enough to see how much internal audit costs, but can you improve the way you demonstrate the value that your organisation gets in return? Scott Wallace finds some pointers in the results of new research by KPMG in Scotland.
We are currently in a period where businesses need to take risks to grow, yet have a low tolerance of failure. The role of internal audit has, arguably, never been so important, yet the cost of internal audit is becoming ever more visible and this means it can be challenged. So internal auditors need to demonstrate the value delivered by their function. Researchers from KPMG, at the IIA Scotland conference in November, asked representatives from some of Scotlands biggest companies: Can you measure the value delivered by your internal audit function? This research was supported by a series of workshops that added qualitative value. It identified three key challenges: strategic; measurement; personal/ personnel. The strategic challenge: surprisingly, one of the main challenges facing internal audit is a lack of clarity around its strategy and remit. Nearly a quarter of those polled were either unaware of, or did not have, an internal audit strategy. You need a clear remit and strategic positioning of the function to know what to measure. The problem is exacerbated by a range of reporting lines for the chief audit executive. Paradoxically, almost all respondents had performance incentives that included measurement criteria. So performance measurement is part of the culture and, therefore, we need to shift the focus to the links between performance and the internal audit strategy. The simple step of engaging with the audit committee and executive management to define their needs and requirements should help to inform future work. The measurement challenge: how to measure added value is a crucial question and is generally seen as the most difficult part of the process. Measuring internal efficiency and productivity is now more common. The research suggests that 96 per cent of private sector and more than 80 per cent of public sector organisations measure department performance. In these cases more than 40 per cent provide the performance statistics in their reports to audit committees. However only 20 per cent of respondents measure value-driven items such as savings, fraud prevention and identifying control weaknesses. So measuring results is more difficult and much less prevalent than measuring activity. The personal/personnel challenge: does the measurement challenge indicate a personnel challenge? Responses showed a clear link between internal audit performance objectives and those of internal auditors (in almost all cases around 95 per cent). Equally, they showed no link between cost savings, value adding and the personal objectives of internal auditors. This may be a chicken and egg dilemma and further indicates the lack of definition described above. Respondents also indicated that further work is needed to establish the right IA resource quality and mix. More than 30 per cent said they need greater depth of functional resources. Most people agree that it is desirable to demonstrate the value of internal audit. So what can the profession do to show the value it adds and share experiences as a profession and functional activity? The research pointed to four areas: 1. A clear remit: make visible and be clear about internal audits responsibilities and what it will, and will not, undertake and assure. 2. Improve quality and maximise the internal audit report communication. Link reports to the organisations strategy, objectives and values. Make them relevant to the organisation and ask recipients what they want. 3. Commission independent, interview-led feedback. Getting feedback from areas being audited can result in a conflict of interest. It is more valuable when obtained in an independent interview. 4. Identify a Top Ten set of common measurement criteria to form a dashboard of internal audit delivery. This should audit progress against the IA plan, give quarterly updates of high-risk audit areas, benchmark similar processes across the organisation and get feedback on any inconsistencies. Scott Wallace is director for internal audit, KPMG, in Scotland.
32
Career development
In the beginning
What factors should you consider when establishing and embedding a new internal audit function? What challenges will you encounter, and what opportunities might arise? Ross Boreland CMIIA offers some advice.
he importance of a strong internal audit function is not always obvious to managers or employees. Some see it as an overhead or a source of awkward questions that hinders operations. So first you need to understand what drove the decision to establish the function. Did the board have no option (is it a regulatory requirement)? Did shareholders or a parent company demand it or external auditors recommend it? Did the board want an internal audit function? Did something happen which made it impossible not to have internal audit? You then need to consider the corporate structure of the organisation and plan how to introduce an audit function with the best possible standards. These questions enable the head of a new internal audit function to put their position in a wider context. The answers should indicate the priorities of the board and ensure that your audit plan covers the key issues. They might also identify areas where internal audit needs to win trust. Ask how the board and management see the role of internal audit. If they want the function to fulfil static objectives, such as generic balance sheet or income statement reviews, it might be difficult to develop a wider role. This can also be a problem if the function is set up in reaction to an incident. Your first audit plan will probably address the key concerns of the board. It
may or may not be linked specifically to the organisations risk register, but it will be geared to the areas where the board needs short-term assurance. At this stage the function will probably have limited resources and may have enough work completing even a simple plan. When you start to develop the role, you need to know the organisations position on risk management. An open-minded attitude should enable you to align the audit plan with the organisations strategic objectives. Risks can be incorporated as they are identified. Informal approaches to risk management make this more difficult. Inherent risk may be inadequately documented and information can be trapped in management silos. Managers might believe they are managing risk, but these risks may be historic, generic or function- specific and may ignore support departments where the impact of incidents is not immediately apparent. Managers may not agree which risks need to be addressed. If so, you will have to learn more about the organisation and find the best way to discuss it. Putting the work in now should help to identify non-assurance areas where internal audit can add value, and conversations, questions and suggestions may open managements eyes to more risks. You may need to make difficult choices about audit scope. If regulators demand particular reviews, you may have little time for other areas. If the board merely wants reassurance about the numbers, it might restrict audits to
balance sheet and income statement reviews. Alternatively, the board may want a comprehensive plan without providing resources. If so, you must explain the implications and manage expectations. Delivering results is central to demonstrating the value of internal audit. Use early reports to identify new areas of work and show management that you can do more than what they initially wanted. Discuss issues to ensure that all parties are clear about what reports mean. Grading findings will be a hot topic, particularly if managers are new to audit, or used to getting low grade issues. Negotiating the wording of findings and grades can be difficult, but it helps you to focus on what is important. If managers or staff fear recriminations, they will resist. You need to work with the board, managers and staff to allay fears. A board that accepts and delegates responsibility for issues makes it easier for internal audit to be a partner, not an agency of blame. You cannot change a blame culture overnight, but you can stress that your concern is rectifying problems and enhancing controls. Building trust improves information flows, makes audits more efficient and encourages staff to raise issues. It takes time to embed a function. If you understand your business and deliver a quality product, you will create opportunities for internal audit to add real value. Ross Boreland CMIIA is assistant manager, enterprise risk services, Deloitte, Dublin. The IIA recently issued guidance on setting up an IA function at www.iia.org.uk/setupnewIA
33
You asked us
Q&A
Our technical helpline provides valuable advice to members on a host of professional issues. Hereare some of the questions youve submitted recently.
emphasise that, if challenged, you should feel confident and able to provide sufficient evidence to support your views and recommendations. Thinking about the way your working papers link together and how much time it takes to complete them will help you to improve operations (efficiency), but this is secondary to providing reliable assurance
34
Q. I am looking for advice about conflicts of interest. I have recently moved into an audit role from an operational role and want to clarify what would be a reasonable length of time before I can audit the area where I worked? A. Ideally I would steer clear of auditing an area where you previously had responsibility. You may feel objective, but this may not be the view of your former colleagues and that may make it hard to agree conclusions and recommendations. If you have no option its generally thought that a one-year lapse is needed. Practice advisory 1130.A1-1 states: Persons transferred to, or temporarily engaged by, the internal audit activity should not be assigned to audit those activities they previously performed or for which they had management responsibility until at least one year has elapsed. Such assignments are presumed to impair objectivity, and additional consideration should be exercised when supervising the engagement work and communicating engagement results. Q. I am looking for guidance on creating and maintaining good working papers. A. The format of working papers is less important than the content. The key aspect is to record relevant information such as your objectives, work programme, results of interviews, the extent of testing and the results from testing. All of these show how you have formulated your conclusions and your opinions. The international standards do not prescribe the format as such, but
Ideally, I would steer clear of auditing an area where you previously had responsibility.
(effectiveness). Lastly, working papers are the property of the organisation, so the head of internal audit needs to control access, develop retention requirements and obtain appropriate authority for their release. This will involve designing and implementing policies and procedures. Q. Can you advise me on what is best practice for the approval of a purchase requisition and subsequent purchase order? Does finance have a value-added role to play in this or should they allow budget holders to control spend? A. Im not sure there is such a thing as best practice any more, just a wide range of differing practice as organisations redesign procedures to take advantage of new technology and work to reduce costs. For example, I know one organisation that has removed requisitions altogether and automatically pays invoices if they match
the purchase order amount. They take the view that cost savings in time and staff reductions significantly outweigh the risk of errors and fraud. Some finance departments adopt a monitoring and control role as well as a processing role. This involves checking certain things are correct, eg, coding, use of preferred suppliers or competitive quotations. You could call that added value, but it comes at a cost. The alternative is to push some of those responsibilities on to management to spread the load or to develop new tools. My advice is to encourage a risk assessment of the purchasing process from start to finish with review of required responses. If that has been done, you could assess how effective that is and verify that controls are working. This will give an all-round view of risk management rather than looking at things on a control by control basis. Q. Is it compulsory for all UK listed companies to have an IA function? A. There is no mandatory requirement for listed companies to have an internal audit function, but it should be something that audit committees consider on an annual basis. Absence of an internal audit function should be explained in the annual report.
I know one organisation that has removed requisitions and automatically pays invoices if they match the purchase order amount
The following three documents and extracts provide more information and may be of interest. 1. Guidance for audit committees, the internal audit function, ICAEW, March 2004: Whether to have an internal audit function. Having an internal audit function is not mandatory for listed companies, although it is for certain public sector organisations. Therefore the board of a smaller listed company may decide that it already gains sufficient assurance on risk, control and governance from other assurance activities within the organisation, for example, directly from regular management information and self-monitoring, from other assurance functions such as security or health and safety or from its external auditors. In short, a company may conduct internal audit activities even though there is no internal audit function. 2. Guidance on Audit Committees 2010, Financial Reporting Council, page 11 4.10/4.11: The audit committee should monitor and review the effectiveness of the companys internal audit function. Where there is no internal audit function, the audit committee should consider annually whether there is a need for an internal audit function and make a recommendation to the
board, and the reasons for the absence of such a function should be explained in the relevant section of the annual report. The need for an internal audit function will vary depending on company specific factors including the scale, diversity and complexity of the companys activities and the number of employees, as well as cost/ benefit considerations. Senior management and the board may desire objective assurance and advice on risk and control. An adequately resourced internal audit function (or its equivalent where, for example, a third party is contracted to perform some or all of the work concerned) may provide such assurance and advice. There may be other functions within the company that also provide assurance and advice covering specialist areas such as health and safety, regulatory and legal compliance and environmental issues. 3. UK Corporate Governance Code 2010, Financial Reporting Council, page 32: In addition to the comply or explain requirement in the listing rules, the code includes specific requirements for disclosure which must be provided in order to comply including: The annual report should include where there is no internal audit function, the reasons for the absence of such a function (C.3.5). Q. Our external auditors have advised our internal auditor, which is a small one-person external consultancy practice providing internal audit services, that an external assessment is required to evaluate the quality of the internal audit service provided. This is to accord with the requirements of the International Standards for Professional Practice of Internal Auditing (Standards). My reading of paragraph 1312 external assessments of the said standards is that external assessments apply to in-house provision and not to external providers. In addition,
paragraph 2070 suggests to me that the review carried out inhouse to ensure that governance arrangements are effective, which includes internal audit, would negate the need for an external assessment to be done on an external internal audit service provider. A. Our standards are written as a general set of principles that can be applied by in-house and external providers of internal audit. In other words, all of the standards, including the ones on quality, apply to all forms of delivery. This means external providers need to have five-yearly assessments. I have done some of these as part of the EQA service the institute now offers. Standard 2070 was added in 2011. Its purpose is to emphasise that the organisation is ultimately responsible for the effectiveness and quality of its internal audit service when the service is outsourced. An organisation cannot put the blame on the provider if part or all of the service does not live up to expectations 2070 puts the onus on management to do something about it. This increases rather than negates the need for an EQA where an external provider of internal audit occurs. We recognise that it may be difficult to apply all the standards in small or oneperson internal audit activities so our global body has issued some guidance on how to apply the standard in such circumstances called Assisting small internal audit activities in implementing the International Standards for the Professional Practice of internal audit. This can be accessed at http://bit.ly/12raWv4. This guidance recognises that cost may be an issue and advocates peer review as a cost-effective option. The problem for you is that a firm may be reluctant to have a competitor carry out its EQA, which is why we now offer a service. Got a question? Contact Chris Baker on the IIA technical helpline on0845 883 4739 or email technical@iia.org.uk
35
Additional news, features and views are posted online all the time. Go to www.auditandrisk.org.uk to see whats new.
UPDATE
Heads of internal audit rubbed shoulders with high-profile business leaders and senior figures from other professional bodies at the institutes annual dinner on 20 June. The event took place in the beautiful surroundings of the Guildhall in London. One highlight was a thought-provoking speech by Douglas Flint, group chairman of HSBC Holdings, which was particularly timely given the challenges and regulatory changes currently affecting the banking industry. No annual dinner would be complete without prizes to recognise outstanding
We round up the latest business and regulatory news to affect the internal audit profession.
Face-to-face learning
The IIA is planning a pilot face-to-face learning programme for the IIA Advanced Diploma to be delivered in London. Students will receive all the relevant study materials, including the institutes texts, learning packs, and a CD-Rom with extra content. As with the IIAs distance-learning programme, the focus is on equipping students to be excellent internal auditors. The pilot will run in September and can accept a maximum of 15 students, so if you are interested, you should book early. Contact the learning office on 020 7819 1939 or email learning@iia. org.uk for more information.
36
Calling all HIAs IIA launches its first annual survey of internal audit
In July we will be launching the IIAs first ever annual survey of internal audit. We will be asking all heads of internal audit to tell us more about the profession. We need your input so that we can understand and analyse the professions strengths and development needs.This will help us to communicate to regulators, legislators and the media, as well as your audit committee chairs and chief executives, more about the value and importance of internal audit. Watch out for our online survey, which will be available on our website and e-mailed to you soon.The results will be posted online later this year.
Maintaining an internal control framework that is fit for purpose in these challenging times is imperative. Doing so presents a significant challenge.
Take control of your business processes with ICE
ICE helps organisations design, document, monitor, report, and continuously improve their internal control environment.
4/12/12
15:21
Page 1
Events
For further information or to book, click the Training and events tab at www.iia.org.uk, email trainingandevents@iia.org or call 020 7498 0101. IIA regional events and special-interest groups should be booked directly with the organiser using the contact details provided.
38
18-19
10-12
17
The internal auditors guide to strategic thinking London
September
3
Ultimate persuasion techniques LONDON
11-12
10-11
IIA Award in the internal audit planning and assurance framework London
IIA Annual Conference 2013 Expect more, harnessing the power London
17-18
IIA Award in effective delivery of audit and assurance York
16-17
4-5
19-20
17
4-6
IIA regions and specialinterest groups may include details of upcoming events. Contact trainingandevents@ iia.org.uk please state the
25-26
Techniques for effective testing York
17-18
10
HIAS forum social, economic and political risk how to focus on key issues London
The deadline for the September/October issue of Audit & Risk is 17 July.
26
The IIA offers a comprehensive face-to-face learning programme for IIA Diploma students studying towards the November 2013 exams.
Choose the Institute for your support
s s s s Four days of intensive syllabus-focused tuition Bespoke learning texts and workbooks Detailed feedback on assignments Expert and experienced tutors
Register now! Limited places available Our workshops are guaranteed we promise never to cancel
Dont delay - start your journey to become a Chartered Internal Auditor today. Contact IIA Learning: Tel 020 7819 1939 email learning@iia.org.uk www.iia.org.uk
Student noticeboard
Student noticeboard
Essential information for exam candidates. Visit the Student information centre at www.iia.org.uk for updates.
You can request either a clerical check of your script or a full review including a clerical check and a report giving feedback on your performance. Options cannot be changed after submission. The first option costs 51 plus VAT and the second option costs 107 plus VAT. You can apply for a review only via the application form on our website. Submissions must be received at the institute by 5pm on Wednesday 28 August. Review requests may be submitted only by students. Further information will be supplied with the exam results. You will get your review results within four weeks of the institute receiving the request and the fee. If a review results in a grade being revised from a fail grade to a pass grade, you will be notified and the review fee will be refunded.
40
level with up to 60 general credit rating points available for each of the IIA Diploma and the IIA Advanced Diploma, and up to 30 points available for the IIA Qualification in Computer Auditing. Qualified members can use these credit ratings to support an application to study a further qualification at a higher education institution. Members can also take advantage of awards of specific credit towards particular Open University distance-taught qualifications. For further information on Open University accreditation for IIA qualifications visit www.iia.org.uk/openuniversity.
Release of the past paper packs and the chief examiners reports
The past paper packs and the chief examiners reports from the June exam session will be available from Monday 9 September at www.iia.org.uk/ examreports.
Randstad Financial & Professional, formerly Martin Ward Anderson, now has a specialist corporate governance division covering: internal audit internal controls risk management IT audit SOX
our candidates Our network includes IIA members, newly qualied chartered accountants, multilingual and high-level internal audit directors. services available to you We also offer industry information for both clients and candidates: recruitment reviews & market insights global interviewing facilities interview advice CV writing
our approach Each client is unique so we tailor our approach to each role. We have experience in providing a number of recruitment solutions including: headhunting professional referrals retained campaigns multi vacancy campaigns contingent recruitment international campaigns
get in touch Whether seeking your next role, or hiring for a niche skill set please contact our corporate governance experts, quoting reference IIA. T: +44 (0) 207 786 6563 E: matthew.winstone@randstadfp.com W: www.randstadfp.com
Head of Audit and Assurance 61,171 - 68,849 Risk and Assurance Auditor 37,029 - 42,491
London SW6
The Mayors Office for Policing and Crime (MOPAC) discharges a broad range of statutory duties and is directly accountable to the Mayor and Deputy Mayor for Policing and Crime in delivering their agenda for London. It is dedicated to building a professional, highly skilled workforce that will assist in delivering the Police and Crime Plan for London. You will be joining the MOPAC Directorate of Audit, Risk and Assurance, a well-respected unit that has the interesting and challenging job of providing the internal audit service for the MOPAC and Metropolitan Police Service (MPS), and under a shared service arrangement, the London Fire Brigade and the Greater London Authority. As one of three Heads of Audit and Assurance, reporting to the Director, you will develop audit strategies to; help address key strategic risks associated with change, improve the internal control framework and ultimately deliver more efficient services. This offers you a rich variety of challenges and the opportunity to influence change at a senior level across a varied client base. The confidence, integrity and ability to operate at a senior level are essential. This will call for senior management experience in internal audit that includes providing risk and control advice to major change programmes, ICT technical knowledge and a thorough understanding of modern-day internal audit concepts and standards. You will be qualified to at least CMIIA or CCAB level, and a current member of the appropriate professional body. As a Risk and Assurance Auditor you will identify key risks, evaluate and test controls and identify areas of improvement, by planning and carrying out programmed audit assignments. A good level of practical internal auditing experience is essential and that will be supported by a recognised qualification (AAT/ PIIA) together with membership of the appropriate professional body. You will be someone who has a thorough understanding of risk-based auditing and the personal qualities and credibility to operate effectively as a representative of the MOPAC. In addition to an attractive salary package, the MOPAC offers a range of benefits including 32.5 days annual leave, interest free travel season ticket loan and a beneficial pension scheme and an emphasis on personal development and training. To apply please visit www.london.gov.uk/priorities/policing-crime/working-mopac for an application form or call 02071612461/3 for more details. Completed applications should be returned to recruitment.audit@mopac.london.gov.uk Completed applications must be returned by 22 July 2013. The Mayors Office for Policing and Crime is an equal opportunities employer.
Internal Auditor
Permanent: Full time Salary range: 24,958 - 29,373 Location: Camberley, Surrey
At Surrey Heath we believe that it is important that we provide excellent value and efficient services to our residents. To help us meet this aspiration we are now seeking a qualified internal auditor to join our small audit team to undertake a wide range of audits across the Council. Ideally we are looking for someone with experience of working in the public sector although this is not essential. More importantly you should be a self-starter, able to understand a variety of systems quickly, be challenging but constructive in your audit work and able to communicate with people at all levels in the Council both verbally and in reports. You will have: Audit Qualification (IIA, CIPFA or equivalent) Experience in risk based internal auditing Experience of the entire audit process from the scoping and planning of the audit, its execution and assessment leading to the final audit report A generous benefits package includes; a minimum of 24 days annual leave, flexible working, final salary pension scheme, life insurance, CPD training and free parking; For further information and to apply, please go to our website www.surreyheath.gov.uk. Closing date: Friday 26th July 2013 Interview date: Week commencing 12th August 2013 Surrey Heath Borough Council is committed to equality of opportunity in employment and service delivery and welcomes applications from all sectors of the community.
GOVERNOR VACANCY
Peterborough Regional College is seeking a governor with financial, audit or accountancy expertise to join its Governing Body, the Corporation Board and to serve on the Audit Committee. The Board is responsible for setting the Colleges Strategic direction and ensuring that the College delivers excellent outcomes to students and the local community. An interest in further and higher education and a commitment to improving the education and skills of young people and adults is essential. This is an unpaid role but will one which oers the opportunity to make an important contribution to a thriving college which is there to serve the local and wider community. If you are interested in finding out more, please contact Ana Lewis, anajlewis@googlemail.com or call 07543 933772 for further details. Closing date 31st August 2013.
Raising Aspirations, Realising Potential & Inspiring Success
Achieve a full professional IIA qualification through a postgraduate study programme with the Centre for Internal Audit, Governance and Risk Management at Birmingham City Business School.
Students attend our DUAL AWARD programme which offers exceptional value for money, through the provision of focused training which yields proven success and delivers a practical and career enhancing experience. We offer a unique programme of training which delivers membership of the Chartered Institute of Internal Auditors, subject to completion of the appropriate experience journal, in one of three modes: full time, block release or flexible learning*. The programme of study provides: - Single assessment for each module using both assignment and examination methods - Teaching that reflects the IIA syllabus at Diploma and Advanced Diploma levels, as well as adding value through real world industry and professional experience - Significant visiting practitioner involvement in the delivery of each module - A cost effective pathway to internal audit career development. Annual course fees for September 2013 and January 2014 enrolments are 7,500 (full time) or 4,500 (part time) and include all learning materials and subscription/examination fees payable to the IIA. For further information, please visit our website: www.bcu.ac.uk/audit or contact us directly on mscaudit@bcu.ac.uk or 0121 331 6595 / 5623.
* Students may opt for a staged entry to study that recognises existing achievements and provides exemptions for relevant professional qualifications and will allow full qualification of CMIIA, subject to completion of the appropriate experience journal.
As a result of a promotion this growing local government shared service is looking to recruit an experienced Principal Internal Auditor. You will be expected to efficiently deliver a comprehensive internal audit service, covering the full range of functions across their local authority clients. Ideally you will hold the CMIIA qualification or a recognised accountancy qualification and have at least three years internal audit experience.
Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte aw@barclaysimpson.com
www.barclaysimpson.com/interimsolutions
Visit
www.barclaysimpson.com
to access a vast range of free online resources
Search hundreds of audit vacancies Find your current market value Information on where best to live and work Focus on Computer Audit Latest information on qualifications
Barclay Simpson has been awarded the Diversity Assured Recruiter accreditation under the RECs Diversity Initiative.
MI5 helps protect the UK against threats to national security including terrorism and espionage. The Internal Audit team plays a critical role in helping MI5 manage its risks effectively and we currently have a vacancy for a Senior Internal Auditor.
Reporting to the Deputy Head of Internal Audit, you will deliver risk-based audits across a number of business areas including operational, security, financial and organisational risks. This is a challenging and varied role and, working alongside MI6 auditors, you will have the opportunity to conduct audit assignments in both MI5 and MI6. Working with stakeholders of all levels, you will have the ability to foster positive and productive working relationships and will act as a catalyst for improvement by exploring current practices, challenging traditional approaches and making value-adding recommendations clearly, succinctly and robustly. A pragmatic approach is important for success in this role. You will be a confident communicator, producing written reports, delivering presentations and conveying technical concepts to non-technical colleagues. You will also need strong data analysis, decision making and problem solving skills and sound judgement. A full audit or accountancy related professional qualification, such as CMIIA or CCAB, and practical, recent experience of delivering a range of risk-based internal auditing assignments within deadlines are essential. You should also have basic project management skills and the ability to assimilate large volumes of information quickly, scope and conduct audits and lead reviews. Experience of working within the security intelligence sector is not necessary as you will be given a comprehensive induction. You will be comfortable working both autonomously and as part of a team. Applicants must be born or naturalised British citizens and normally have been resident in the UK for 9 out of the last 10 years. Discretion is vital. You should not discuss your application, other than with your partner or a close family member. To find out more about us, visit www.mi5.gov.uk/careers Closing date for applications is Monday 29th July 2013.
To request an application pack please contact David Jarrold dj@barclaysimpson.com or Daniel Flynn df@barclaysimpson.com
Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW bs@barclaysimpson.com www.barclaysimpson.com
www.barclaysimpson.com