Documente Academic
Documente Profesional
Documente Cultură
I s s u e 11 M a y / J u n e 2 0 1 3
Supplies surprise? What the horse meat scandal tells us about the risks of long supply chains C-suite careers: why internal audit offers useful experience for a job on the board Early-warning system: how to spot the next big risk before its too late
a. a thorough reversal of outdated technology and complete adoption of TeamMate b. a fundamental change in your audit approach; especially the overthrow or renunciation of one system substituted by TeamMate c. a changeover in use or preference especially in Audit Management Systems
# of audit departments adopting TeamMate each day # of Languages in which TeamMate is available # of Countries in which TeamMate is Licensed # of auditors using TeamMate daily # of CPD hours delivered in past 3 years
1 14 105
90,000 104,000
Contents
16 12
I s s u e 11 M a y / J u n e 2 0 1 3
24
I s s u e 11 M a y / J u n e 2 0 1 3
chief internal auditor at Shell, explains how a constant flow of new recruits from the business helps internal audit generate value
18
Supplies surprise? What the horsemeat scandal tells us about the risks of long supply chains C-suite careers: Why internal audit offers useful experience for a job on the board Early warning system: How to spot the next big risk before its too late
Published for the Chartered Institute of Internal Auditors byCaspian Media Ltd, Unit G4, Harbour Yard, Chelsea Harbour, London SW10 0XD 020 7045 7500 Editors Keith Ryan keith.ryan@caspianmedia.com 020 7045 7543 Ruth Prickett ruth.prickett@caspianmedia.com 020 7045 7572 Chartered Institute of Internal Auditors info@iia.org.uk www.iia.org.uk 020 7498 0101 Subscriptions membership@iia.org.uk 020 7498 0101 Advertising Ian Mehrer ian.mehrer@caspianmedia.com 020 7045 7596 Creative director Nick Dixon Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited. ISSN 2048-8408.
Front
3 The IIA view
From the chief executive, Ian Peters.
Features
12 He can be sure of Shell
Armand Lumens, chief IA at Shell, explains how he zips up internal audit across the business.
REGULARS
30 Tools for the job
A guide to the IIAs guidance for members.
5 World view
From Richard Chambers, IIA Global president andCEO.
32 You asked us
Experts answer readers technical questions.
16 Command of chain
How to monitor risk along extended supply chains.
34 IIA update
Institute news and membership matters.
20 Moving up
Two former internal auditors reveal how this experience helped them apply for executive roles.
8 Update
The latest news affecting the profession.
40 Student noticeboard
Essential information for exam candidates.
10 Reportage
The findings of PwCs latest annual global CEO survey.
24 Early-warning system
How to get future risks on your organisations radar.
28 EQA FAQs
Why have an external quality assessment?
We post more news and articles online every week. To access these, visit www.auditandrisk.org.uk
WE KNOW AUDIT
TrUsTED INTErNAL AUDIT sOfTWArE
risk assessment >> scheduling >> workpapers >> reporting >> issue tracking
As an internal audit management software pioneer, Thomson Reuters Accelus delivers an end-to-end audit management solution with the best-in-industry implementation. Trust your investment in our proven software and reliable implementation, training and support. Developed by internal auditors for internal auditors, Thomson Reuters Accelus internal audit software improves audit efficiency and productivity throughout the entire audit process including risk assessment, scheduling, workpapers, reporting and issue tracking, helping thousands of corporate and government clients.
REUTERS/STEPHEN HIRD
The Salz review of Barclays culture and business practices, published in April, made 34 recommendations to improve the corporate environment at the bank. The review suggests that the culture change needed at Barclays can be created by implementing Anthony Salzs package ofmeasures, alongside developing a clearersense of common purpose and well articulated and understood shared values. Salzs recommendations embrace many aspects of Barclays business practices, processes and policies, including standards of professionalism; employee engagement; values and human resource management; customer focus; board qualityand board information quality; and executive team cohesion. On the principles of pay, Salz advises that pay policy should take account of the reputational and behavioural implications ofpay, as well as reflecting individual talent and the persons contribution to the bank. Inparticular, the remuneration of employeesin control functions of the bank should contain a higher proportion of fixed rather than variable remuneration to avoid, for example, potential conflicts of interest. Theserecommendations are consistent withthe draft recommendations of our own committee on effective internal audit for financial services.
In both cases the purpose is to ensure that pay reflects and encourages high professional standards, commitment to company values and a focus on long-term company performance, as well as attracting the skills and talent needed for the job. While many people may see pay as the most important factor to get right in the short term to change culture, the report acknowledges that a transformation of the type needed at the bank will take time. But if the result of the review is a sounder corporate environment at Barclays there may be lessons for other organisations, regardless of their sector. So where does internal audit feature in this transformation? One of Salzs recommendations relates directly to internal audit. Recommendation 33 states that internal audit should ensure the effectiveness of its audits and have scope across the whole business.The internal audit charter should cover all aspects of governance, control and risk culture. Ensuring the effectiveness of internal audit requires complete independence and objectivity and therefore greater influence. But in order to achieve this the corporate environment across the organisation has to be right. Making it right relies on the
Recommendation 33 states that internal audit should ensure the effectiveness of its audits and have scope across the whole business
implementation of Salzs other wide-ranging recommendations. Internal audit can be so much more effective when there is a clear and ethical tone at the top, an open culture and a cultural emphasis onthe continuous improvement of control over risk and behaviour. Salzs recommendations to the Barclays board set out to achieve this. Internal audit can support the board by helping to drive such a culture if it has the right position within the organisation in terms of its influence and objectivity, scope to work across the entire organisation and the right resources. As a package of measures, Salzs proposals could mark a new era for corporate morality, ethics and business practice, and I hope his review prompts discussions not only in banks and organisations in other parts of the financial services industry, but also in other sectors. Such debates, if they lead to a focus on improving the corporate environment across an entire organisation, can only be good for our profession and enable it to deliver its full potential.
NE W
Supplied as a fully managed cloud based secure solution, with prices starting at only 200 per month all in. Free Setup, no contract period, no hidden charges.
Symbiant Management Suite - The total management solution Management Suite is a unique modular solution that allows the whole workforce to collaborate on Audit, Risk and Compliance issues including Basel and SOX Risk, Audit, Compliance, CSA, Project, Policies, Documents, Governance, Risk Registers, Risk Indicators, Self Assessment, Incident Reporting, Performance Indicators, Customer Service, Action Tracking, Audit Planning, Key Risk Indicators, Controls, Surveys and more
14
D WINNING SOFTWARE OF AWAR
www.symbiant.co.uk
The ultimate way for IAs to show leadership in ethics is by being advocates for ethical behaviour
reporting problems that have occurred. Theytake no responsibility for helping to prevent those problems. As shown by the final position on the continuum, this is only part of internal audits role. The ultimate way for internal auditors to show leadership in ethics is by being advocates for ethical behaviour the
Pentana Vision
Modern screen design that operates globally over a range of network speeds without the restrictions of a browser interface Flexible audit planning by entity structure & process Home screen identification of items for your action and review In-built audit methodology and audit report templates Simple deployment and automatic software updates Audit work can be focussed on risks identified from integrated risk registers
I can recall many challenging conversations in my time as a chief internal auditor they tend to stick in the memory. Ive been at the giving and the receiving end, and one thing Ive learned is that there is definitely a hard way and an easier way to cope with them. The conversation is rarely as bad as you imagine it will be.You need to plan it well, keep calm, listen, explain and get buy in to the outcome. However, while you can get better at managing them, challenging conversations continue to arise. In fact, the tight economic conditions, reorganisation, rising performance targets and tighter cost control are reasons why they are occurring more frequently.This environment can raise stress levels and affect peoples wellbeing, which in turn can generate complaints and grievances, offering scope for yet more challenging conversations. I have found myself challenging what people have done and what they havent done, as well as why, when, how and where they did something. Sometimes this couldnt be helped, as in the case of attendance management conversations, andsometimes it could for example, whenthere has been misconduct. On other occasions I have had challenging conversations in committee meetings. Audit committees are right to question and challenge and to be sceptical. Ireally enjoy that part of my job. Im supported in my role as a manager at Norfolk County Council by a great head of finance and a well-organised human resources shared service, with guidance and a helpline. I have also had impact leadership
training that covered coaching, mentoring and giving feedback. Such soft skills add to my existing training in auditing and specialist investigative practices.The discipline, pressure and significance of interviewing witnesses takechallenging conversations to a whole new level. Any challenging conversation needs to be handled with care because people need to be handled with care. Forget this at your peril. I have found that any meeting can benefit from developing and applying some simple habits. Some meetings will not go well. Thatslife. But its some consolation to know that you did your best.
Its vital to seek to understand the other persons viewpoint first, ifIwant them to understand me
I try never to have a challenging conversation unprepared. Whether you are giving or receiving difficult news, you dont want surprises. Is the person ready for feedback or questions now? If not, when will be the best time and place? Its my responsibility to be proactive, check my facts, examine the issues, consider where this is going next, what the options and
implications are, and what I want to happen. Stephen Covey, author of The Seven Habits of Highly Successful People, describes this as begin with the end in mind . It may not always be possible to gain a win-win solution, but you must be fair, proportionate and diligent if you are to avoid pitfalls. Its vital to seek to understand the other persons viewpoint first, if I want them to understand me.Thats a difficult habit, as I tend to want to step in with the benefit of my experience or simply to finish quickly. Youcant rush a difficult conversation. Its also important to work with the other person to find a solution and resolve matters. Any plan needs to have full agreement from both. The last habit is to reflect and learn. I like the way Covey calls this sharpening the saw . The habit of evaluation is also a key part of the Peace model used in investigative interviews of witnesses. I always find something that I could do better next time. Ichallenge everyone to practice some good habits and handle people with care.
Additional news, features and views are posted online all the time. Go to www.auditandrisk.org.uk to see whats new.
UPDATE
CMI report blames weather risk
The British weather in particular, heavy snow caught UK firms by surprise in 2012, according to the annual business continuity survey bythe Chartered Management Institute (CMI). Badweather was revealed as the main cause of disruption toUK businesses over the past 12 months in the CMIs Weathering the storm report, with 77 per cent of survey respondents affected by snow.
We round up the latest business and regulatory news to affect the internal audit profession.
The UKs Financial Services Authority (FSA) should have been aware that there was a risk that firms would make inappropriate Libor submissions to avoid negative media comment, or forlowballing purposes. The FSAs internal audit report on its oversight of the London inter-bank offered rate (Libor) found that the regulator at all levels of management was aware of
resources effectively to meet its objectives of securing an appropriate degree of protection for consumers, safeguarding and enhancing the integrity of the UK financial system and promoting effective competition in the interests of consumers. For more information, go to www.fca.org.uk
Spreadsheet dangers
A survey of senior executives and senior managers in UK financial services firms has found a dangerous lack of awareness concerning business-critical data managed in spreadsheets and similar databases. The research, by data management company ClusterSeven, found that 93per cent of respondents used spreadsheets to manage financial data, but 51 per cent had poorly monitored policies or no usage controls. For further information, visit bit.ly/hKyFK2
REPORTAGE
of UK CEOs are planning to employ morepeople in 2013,
UK chief executives are more worried than those in other Western nations about the availability of key skills, according to PwCs latest annual global CEOsurvey, Dealing with disruption: adapting to survive and thrive .
45%
but
30%
while
43%
10
33%
75%
80%
of UK CEOs, compared with 57per cent of CEOs globally, thinkthat creating and fostering askilled workforce should be apriority for government.
91% 84%
of UK CEOs are planning to change their strategies for attracting andretaining customers.
87%
of UK CEOs want to use social media to strengthen their firms engagement with customers.
base as a top-three priority for the year, while 54% citedimproving operational effectiveness and 52% cited enhancing customer service.
When asked about the most important non-domestic market for their growth prospects in 2013, 24 per cent of UK CEOs cited the US, 19 per cent citedChina, 11 per cent cited France and 11 per cent cited Germany. 38 per cent cited organic growth in the domestic market as their main hope of expansion.
11
compared with
24%
US
19%
China
38%
83%
57%
of CEOs globally.
11%
France
11%
Germany
of UK CEOs are planning cost-reduction initiatives this year. Only17 per cent have R&D as a top-three priority for the next 12months, compared with 41 per cent across western Europe.
For PwCs 16th annual global CEO survey 1,330 interviews were conducted in 68 countries in the fourth quarter of 2012. The full research report can be downloaded from www.pwc.com/ceosurvey.
85%
Being integrated with the business is very important. Thats one reason why 85 per cent of the 220-strong IA team at any one time is rotated out of business roles.
12
You get a flavour of the oil giants approach to risk management the moment you walk into reception at the Shell Centre. The security guard firmly and respectfully asks for my bona fides at the door. When the receptionist hands me my pass, it comes complete with a list of health and safety tips on the back. Even the welcome video playing onthe big screen in the foyer urges me to have a productive and safe visit. That combination is important to Armand Lumens, the companys chief internal auditor. People in the business are not going to do anything that they believe has no value, he says. Managers should always be asking how they get the biggest bang for their buck and the auditors have to think the same way.Theyre not going to waste time dreaming up recommendations that get locked away in a cupboard. Being integrated with the business while maintaining a strict independence is very important to Lumens. Thats one reason why 85 per cent of the 220-strong IA team at any one time is rotated out of business roles. When you learn that 90 per cent of the 350 audits they conduct each
We can go anywhere we like, we can ask anythingwe want, we can request any document andwe can get into any system
year are on operational, not financial, aspects of the business, that requirement becomes compelling. Credibility counts The key is: how do you engage with the business? Lumens says. The first thing is to recruit people from within the business. Immediately that gives you credibility. I cant send a 23-year-old graduate to Sakhalin for a talk about well design with a drilling engineerwho has spent 30 years in Shell. Itdoesnt work. So we bring in expertswhom we train to become internal auditorswithin six months. On any given audit, then, IA assembles ateam of five or six people with a range of skills designed to match the assignment. Thatmakes for richer, more informed conversations. The people joining us workwith five or six new people every five weeks, picking up a lot of skills such as conflict handling, analytics, report writing, presenting, interviewing techniques and working virtually, Lumens says. So a reservoir engineer who joins us wont work only in, say, Africa. Within two or three years he or she will have seen all the assets that deliver major reserves. When theygo back they will have a real depth of knowledge on what works and what can go wrong, because theyve seen operations all over the world. But the drive to win credibility doesnt end there. Whenever we report, my staff are present in the leadership meetings to discuss the outcomes of the audit and any actions required, Lumens says. So you have an expert who is from audit, but theyre with the leadership team to talk about what theyre going to do next. Because the team on the ground already has credibility with the people its auditing, those actions are generally realistic, nuanced and value adding. The mandate Dont be fooled into thinking this is an overly cozy relationship, however.The second
14
critical factor for Lumens is a strong mandate. The executive committee and the audit committee are clear on this, he says. We can go anywhere we like, we can ask anything we want, we can request any document and we can get into any system in the company. Our independence and liberty are very clear. Lumens is quick to add that, if he made a habit of walking into the offices of senior executives with demands , his credibility would take a hit. Its a powerful mandate, but not one to be abused, he says. Whats important is to gain respect. We need to build and maintain our reputation. Every single audit needs to be executed perfectly and people need to say at the end: Wow, this was a good piece of work. It might have been painful. But we learned something and we will change things if we need to. To understand that powerful mandate, its worth taking a detour into Lumens past. Heshad an incredibly varied
career at Shell (see panel, below), but in late 2003 he came to London as the assistant to the group controller. Within weeks of his arrival, Shell was in crisis. It transpired that it had overstated its proven oil and gas reserves by about 20 per cent. Its true that the IA mandate grew in 2004during that reserves crisis, he says. There were a lot of issues concerning the interpretation of rules, integrity, transparency and in 2004 that was all still relatively new [in terms of priorities across the industry]. Lumens spent nearly 18 months investigating the problems and issuing restatements: I probably have the world record for issuing the most 20-F forms in a two-year period! But, as well as boosting internal audits mandate, the experience also reflected Shells style of addressing problems: work hard to make it right, learn the lessons and critically embed these in the culture of the organisation for the future. Risk? What risk? Its worth remembering that Shells business is inherently risky. Pumping combustible materials from deep in the Earths crust, then refining and transporting them to be used by the general public is no cakewalk. But that can actually be an advantage for an internal audit function. Health, safety and environment are only asmall portion of the risks for this company, Lumens says. But, because we take them so seriously, it definitely creates a very strong compliance culture an awareness about riskthat we try to extend to other parts. Hence those tips on the security pass. Its all part of Shells Goal zero approach to safety throughout the company. So it seems a little surprising to learn that, unlike a bank, for example, Shell has no discrete risk management function. The risks are owned by the businesses. I dont own them, Lumens says. If they decide they want to take a risk even if they disagree with me they can.Thats a management decision. I cant be too far away from it, of
15
course, and we do have disagreements from time to time on which risks we should run. Then we take it up to the business assurance committee or executive committee and have an open debate about it. I support managers through our audits and workshops and training on risk management, he adds. Thats one of my key drivers that were managing risk better and in the right places. He gives a financial example. My predecessors had 40 Sox [Sarbanes-Oxley Act 2002] auditors in the past, he says. Ihave none today. We needed a lot of people at first to gear up the organisation to be compliant. We needed a lot of support to teach people what controls we were expecting. It was a complete culture change.
But its been completely integrated into the business now. Thats why 85 per cent of our people will rotate back to their functions or businesses, he continues. It strengthens our controls. These auditors have learned so much about what the business is like from doing audits. We believe that has huge added value. Effectiveness matters Thats the mantra: the value of internal auditto the business is absolutely critical. Theres a lot of discussion about where thechief internal auditor should report to, Lumens says. Should it be the CFO? Should it be the CEO? But that debate disappoints me, because it simply confirms certain mythsthat people have about the audit
profession myths that are extremely difficult to bust. The reality? There are audit functions that have clout, impact and the capacity to be sparring partners and that are also moving towards a vision of a high-powered function that really supports the business. Its not only about throwing reports over the fence, he says. So we say: if we can do something differently, we can actually make more money or reduce risks or do things faster. So, your reporting line helps you to remain independent, but only by proving your value on every audit do you make a real difference. For details about the IIAs Auditing Business Function resource, visit bit.ly/15yZfCu
The use of relatively cheap suppliers overseas has enabled UK businesses tocompete more effectively on cost. But, as therecent horse meat scandal showed, operating long international supply chainsis not without its dangers.
Words: Alice Hoey Illustrations: Matthew Hollister 16
Command of chain
burger walks into a bar. A pint, please, he says. What was that? I cant hear you, replies the barman. Im sorry, says the burger. Ima little bit horse. And so the jokes went on (andon) after the revelation in January that certain meat products were not all that they seemed. It was no joke for the major supermarkets. Giving evidence to the Commons select committee for environment, food andrural affairs, Tim Smith,Tescos technical director, said that the loss in sales as a result would be a lot bigger than 1m . The eventual cost resulting from the damage to firms reputations could prove much higher than that.Tesco saw 300m wiped off its market value and quickly announced a newDNA testing programme in an effort to stem theflow of customers from its meat aisles and restore confidence in the provenance of its goods. Other affected supermarkets suffered similar consequences.
Although the food industry is in the spotlight, thescandal has raised serious questions about the traceability and transparency of supply chains more widely, highlighting the challenges faced by organisations in guaranteeing that their business partners are up to the required standard. Advances in logistics technology and infrastructure have enabled British companies to take advantage of lower-cost suppliers around the world, which has given rise to longand complex cross-border supply chains. But their proliferation presents a number ofproblems, including those of ensuring compliance with regulations in each country concerning health and safety, ethical practice and social responsibility, andof ensuring that information about suppliers isshared. These are problems that many companies have yet to solve. Research byTV SD, a German-based product testing and certification organisation, has
The Food Standards Agency needs to ensurethere is more sharing of information among regulators at a European level
17
Apple terminated its relationship with a component maker, Guangdong Real Faith Pingzhou Electronics, after finding that under-age workers had been employed
18
found that 60 per cent of British manufacturers, distributors and retailers are still unable to trace all components in their supply chains. Perhaps more worryingly, even though the UK has some of the worlds strictest regulations on food labelling and hygiene, nearly half of firms in the survey admitted that they couldnt guarantee that all of their suppliers satisfied British product safety requirements. Another study by the fraud investigation and dispute services team at Ernst &Young has found that nearly half of British firms are failing to vet their foreign suppliers for compliance with the UK Bribery Act 2010. Only six per cent of respondents said that, if they were to find that a supplier was non-compliant, they would put the contract back out to tender.
Making connections
According to Paul Carr, director of FMCG at Achilles, one of the worlds largest supply-chain information management companies, the crux of the horse meat scandal was a lack of joined- up information on how suppliers were interacting. In theory, supermarkets understand the activity in one line from farm to shop, but it took four weeks to work out, sideways, which other supermarkets and outlets the rogue provider was supplying. Toprevent this situation, supermarkets must work collaboratively and use supply-chain mapping to understand the network of
supply chains servicing their industry, he says. Mandy Murphy, a spokeswoman for the British Retail Consortium, says that its members have established robust systems for food safety, based on auditing and strong supplier relationships, but sheadmits that these arenot designed toidentify possiblecriminal behaviour or people trying to flout the rules. That is much harder and it may be that those systems need to be reviewed to cope with this. Murphy concedes that more could be done to improve intelligence-gathering across Europe. We are members of the Food Standards Agencys consultative group on emerging risks, which is a useful forum for exchanging information on
Both buyers and sellers have responsibilities with regard to the quality and condition of goods
future risks in the supply chain, she says. But the agency needs to ensure there is more sharing of information among regulators at a European level. There has always been a need for knowledge, understanding and good long-term partnerships, according to Kevin Rumfitt, CEO of the Institute of SupplyChain Management, but language barriers, cultural differences and concerns about the cost of travel have been limiting factors.The economic conditions havent helped, he explains, because firms seeking cost savings are cutting back on the travel that is necessary for UK businesses to meet their suppliers face to face and strengthen relationships. For some firms it means that theres
Ross Parsell, director of cyber security at Thales UK, says that ensuring effective supply-chain management is an important and difficult challenge for the security industry. Cyber criminals have started attacking supply chains instead of targeting organisations directly, making the electronic defences of the supply chain as important as those of the organisation itself, he says. Companies need to assess the cyber security processes of all of their suppliers that handle sensitive information, Parsell says. Some of his following recommended actions could easily be applied to a range of industries and product or service types: Classify the security risk of the data and access points you are providing to suppliers. Review regional and industry compliance standards to ensure that all regulatory requirements are met for the countries and sectors in which your business operates. Set best-practice guidelines to assess all existing suppliers and potential ones before doing business with them.
more trust and less knowledge of where produce has come from, Rumfitt says. Saleem Chowdhery, head of risk and internal audit at Morrisons and a member of the IIAs Heads of Internal Audit service, agrees that there has generally been too much focus on improving margins at the expense of ensuring traceability. Both buyers and sellers have responsibilities with regard to the quality and condition of goods, he says. Most well-managed businesses will have assessed the risks in their supply chains and will be seeking to design these risks out. Morrisons has a relatively conservative approach to ensuring quality in its meat supply chain: it processes 95 per cent of its own-brand fresh beef, pork and lamb in its own abattoirs. We also operate a stringent quality-control system with our third-party suppliers, all of whom have signed up to the Morrisons manufacturing standard and are independently audited against this, Chowdhery says. Our own sites are also audited against the standard, one element of which is provenance.This states that systems of traceability must be in place and sites must maintain relevant certifications.
marketing lead, strategic supply management, at IBM. They should be taking a 360- degree view of the performance of every supplier and monitoring their risk profile by constantly evaluating their structures, he says. Companies can use the latest mapping technology to track andmanage risk all the way down their supply chains. Thisensures that the total impact of supplier disruption is understood and corrective plans are in place, Johns says. Suppliers can be managed to ensure compliance with corporate standards policies and regulatory requirements, while updates to legislation are automated into the process. Any business that values its reputation must ensure that all links in its supply chain make the grade, in terms of regulatory compliance and also social responsibility and sustainability. For instance, Apple recently
announced that it had terminated its relationship with a component maker, Guangdong Real Faith Pingzhou Electronics, after finding that under-age workers had been employed, he says. A range of simple technologies can also be used to trace the various components of a product.These are already common in the automotive and pharmaceutical industries, according to Rumfitt. At Nissan, for example, if a dealer takes issue with an exhaust on a new vehicle, each component can be traced, through its own assembly line, from the tier-one supplier that delivered it all the way back to the foundry it came from.They can even determine the mixture of metals that went into it.The systems are already out there and in use, he says. The question is: why do we have more control over how our cars are made than the food we put in our mouths?
95%
of Morrisons own-brand beef, pork and lamb is processed at the supermarket chains own abbatoirs.
Although no branded products at Morrisons were affected by horse meat contamination and no goods were withdrawn, the business is not complacent. It is good practice to review processes continually, Chowdhery says. Internal audit has an important role in ensuring that the systems of control to manage the key risks are operating effectively. In our business, internal audit frequently tests the food safety management systems, quality systems and processes concerned with new product development. We have conducted an assurance mapping exercise to understand the second lines of defence, including an assessment of the strength of this assurance against the key risks to Morrisons. And in the past we have challenged management to consider its confidence in the representations it makes about things such as the provenance of its meat products. Its understandable that some businesses will seek the cheapest route to market, however complex the resulting supply chain might be. But the potential reputational costs can be considerable. Businesses can be destroyed for good by mistakes, so they must find the correct balance and ensure that the quality of their brand is built on the quality of the products they supply, Rumfitt says. Anyone who cannot tell you what is really in their products is in big trouble.
19
John Otty, CFO for Africa, Asia Pacific and the Middle East, Vodafone.
Before I became head of internal audit I was CFO for Asia Pacific and the Middle East. I thought I understood what internal audit did, because I had been audited several times and because Id sat on audit committees. ButI was surprised when I discovered how much value internal audit adds to the organisation. Internal audit has a lot of strength in the company and it can really get things done. But too often its hidden. Itried to use my operational experience to maximise its impact. Forexample, I gave my team permission to engage directly with the business to help resolve a problem if they saw one. I dont mean getting involved in operational execution, butsimply helping managers to understand the problem and ensuring that they have started working on it. Inthese cases there was no audit involved, but the impact on the business was high, the resolution was fast and value was seen to be added. One of the most important opportunities that internal audit offered me was the experience of presenting information to the board on a regular basis. I learned how to present complex information more efficiently and how to get my message across in straightforward language the telecoms sector is full of jargon. I had a strong relationship with Nick Land, the chairman of the audit and risk committee. Hes very experienced and understands his role. This helped to create a trusting
20
relationship, which I think is vital. He told me that he has two friends: the external auditor and the internal auditor. I could tell him things in confidence that went beyond the main presentation to the committee and which gave him a better, richer flavour of the companys risks. One big change for me was building the leadership skills required to run internal audit. Id worked in global roles before, but this was the first time that I had directly managed 120 people across the globe. It was like running a worldwide consultancy. Thismeant that I was responsible for motivation, communications, development and training. I also enjoyed the fact that the function was independent from the organisation, soI could set the agenda and lead the team where I wanted to go.This was a great leadership challenge and a massive change from my previous and current jobs. I now manage 15 people, all of whom are based in our London office. I visited internal auditors in all the countries where Vodafone operates. Where I felt they could influence the company more effectively, I offered them support with senior management locally to ensure that they had the influence and the voice they needed to be heard.The internal audit community in Vodafone is fairly well integrated and, although the team works in many regions, we all operate in the same environment.
This was the first time that I had directly managed 120 people across the globe
Moving up
A long career in internal audit can be hugely rewarding. But, for many people, a stint in the function is a chance to build an in-depth understanding of all aspects of a complex business and to spend time outside the day-to-day management of any one department and gain a broader view of the organisation and its markets.Thisexperience is not only interesting; it can provide the operational knowledge and industry insights that are invaluable for a member of the senior management team. Here we ask twoformer HIAs in very different businesses toexplain how their time in internal audit helped them to secure a seat on the board and why the experience changedtheir understanding of the profession.
21
22
I would certainly recommend to others that they should work in internal audit. Vodafone encourages people from other departments to work in internal audit for short stints. Its fairly easy to get people up and running quickly, because weve got a well-structured, well-managed team with a good induction mechanism.The benefits work both ways someone from operations can offer specific knowledge to an audit as well as learning about new areas of the firm. Its also a great opportunity to get to knowpeople at the top of the company. Andits a chance to gain international exposure, because we operate audits across all our regions, whereas most Vodafone jobs are based in one region or country. Id worked at the company for 20 years, but my time in internal audit sent me into parts of it Id never seen before. For instance, I gained an understanding of our network resilience and technology security.This informed my role running the risk management function, leading to discussion of some issues at board level. I saw the chance to go into internal audit as an interesting challenge, but I wasnt sure I was going to enjoy it. Infact, I really enjoyed it because it was rewarding to see that I could make an impact and lead a global team. Now that I am again heading audit committees, my experience in internal audit is really helpful. I used to have a regional team to brief me on audit committee issues, but now I talk directly to the internal auditors. I appreciate how important it is that they feel they dont have to protect management. Im also more aware of the importance of resilience and I can influence decisions better because Iunderstand the issues. John Otty is a member of the IIAs Heads of Internal Audit service and its Internal Audit Leaders Forum.
Id worked at the company for 20 years, but my time in internal audit enabled me to go into parts of it Id never seen before
unless they have worked in internal audit.Thats why its so valuable to spend time in internal audit or a risk/ compliance function. Being an HIA enables you to form an overview of the whole company and join dots and see patterns that would otherwise behidden. It also encourages you to think more about the downsides than most managers tend to. Used with balance, this is a good thing. Im now probably harder on our internal audit function than Iwould have been if I hadnt worked in it, because I understand how much value it can add when it works well. If Im confident that the team is doing its job well, I know that I can back its findings if a disagreement or conflict should arise. Independence shouldnt be confused with lack of interaction
with business units. A topquality audit team shouldnt have to do a full audit to raise issues or have an informed opinion. But all parties need to appreciate the need for independence. If a business unit knows about a problem and doesnt tell internal audit, it can be just as bad as if it doesnt know and the problem emerges only as the result of an audit.You need to foster a culture in which people can contact internal audit about a concern and know that, rather than being held against them, the issue will be treated fairly and consistently. Skills such as communication, teamwork and quickly understanding topics apply to all management roles, so there shouldnt be a huge jump to move from internal audit to other areas. Business is all
about taking risk, so all managers benefit from understanding the balance that has to be maintained and the importance of keeping the right perspective. But it is important that anyone moving out of internal audit is confident that they wont find previous disagreements held against them. A mature company will understand that some disagreements are necessary and should not be personal.The internal audit role can involve identifying failures and that can be appropriate in certain circumstances, but its usually better to present these asconstructive advice on makingimprovements. After working in internal audit, I now stress that I dont like staff in the business to be given the objective of having no failed audits . I realise that this isnt in their control and would prefer to have objectives such as issues identified in audit rectified in time agreed . Ive also learned that organisations spend too much time discussing audit grades when they should be focusing on what needs to be
changed and how and when this will happen. Im far more aware that audits throw up things that extend beyond one function or business unit. If an audit finds evidence of weaknesses further along the organisational chain, then its important to address these and not wait for another audit. It is easy to be in siloed in business. In audit, the real value often comes when the silo is broken. This broader picture is one of the great strengths of internal audit. For example, its highly unlikely that any one audit will pick up an isolated fraud, unless auditors are lucky with their sample. Its far more important that it highlights weaknesses that could create opportunities for fraud. If fraud happens, its easy for management to say: What was the IA team doing? Now that Ive worked in internal audit, I understand that this cant be expected, except in a few rare cases. I appreciate more the ways in which internal audit prevents fraud and other problems arising in the first place and where it really adds value throughout the company.
23
How have you seen your role evolve over the years? To have your say on this and other issues, visit www.auditandrisk.org.uk. Formore information about the IIA Internal Audit Leaders Forum, contact paul.roberts@iia.org.uk
G4S has 620,000 employees in 125 countries. Its regional teams are responsible for completing their own risk profiles.
620,000
Earlywarning system
Words: Neil Hodge
lthough businesses now focus moreon riskmanagement and internal control than they did before the financial crisis of2008, the spate of governance disasters, bankruptcies and regulatory censures in the crisiss aftermath have prompted many observers to wonder whether organisations have a blind spot when it comes to spotting the next big event that might hit them hard. While the telltale signs of trouble will vary from firm to firm, HIAs say that the principles of managing and communicating emerging risks are very similar for most businesses. In essence, risk information needs to be brought up from ground level to the board, while the management needs to ensure that action to control and mitigate these risks is taken throughout the organisation. Phil Summerton, head of internal audit at security management firm G4S, says that, in a large company employing 620,000 employees in 125 countries, regional teams are responsible for completing their own risk profiles.This means that, while the corporate centre has overall responsibility for the development of processes, local teams need to ensure that they are appropriately setup to manage their own risks.
How can organisations improve their awareness of nascent threats that arent yet on the radar? When potentially huge risks are involved, vigilance at all levels and good communications are crucial.
25
For our business, risks should be identified and picked up at a local level, Summerton says. These should then be appropriately communicated up the chain. It is this communication process thats a core partof managing any risk strategy. G4S categorises its quantifiable risks under four headings: financial impact; severe impact on achieving business objectives; reputational damage; and disruption to business . These form thebasis of its global analysis, Summerton says. An integrated risk management process is vital. Thefirst part of this is to ensure that a robust process isinplace.The second is to ensure that people have boughtinto it, he says. This is where appropriate training and engagement is necessary. By creating a culture of transparency, you will ensure that the processis duly followed. While HIAs agree that it is important to have established protocols for sharing risk information, manybelieve that the speed at which that informationisrelayed is also crucial. Bruce Vincent, senior vice-president and head of global internal audit atInterContinental Hotels Group (IHG), has developedaprocess called dynamic risk assessment
There is nothing like showing executives what has gone wrong at a competitor to explain the seriousness of a similar occurrence in your own organisation
tohelp highlight emerging threats as quickly aspossible. Its a continual, flexible and reactive approach that ensures we are aware of risksas they emerge, he explains. Thisrequires close engagement with the organisations stakeholders to determine issues that may be affecting their operations. It ensures that we can get constant access to risk information so that we can apply our resources to the best effect possible where risk matters most to IHG, he says. Vincent says that the information received through the assessment is fed intoassurance maps, which provide a better idea of how the risks should be controlled and of who needs to take responsibility for managing these.
Rapid response
26
Access to risk information is crucial and the speed at which you can get hold of it can be a determining factor in how well you deal with it, Vincent says. Our approach is to make everyone in the organisation aware that risk management and assurance is important and that they all have a duty to identify and report anything that they feel may have a negative impact on the business. Internal audit can then assess that information and suggest appropriate measures to the people responsible for managing the areas affected, he says. Vincent adds that collaboration at the topof the organisation is also vital. He is part of the companys risk working group, which is led by the head of global risk management and includes the general counsel, the head ofstrategy and the head of programmes (aswell as any other senior people who have a particular interest in the matters under discussion).This group meets at least quarterly to discuss big risks, which are disclosed in the annual report and communicated throughout the business to
We also look at social media. Its vital that we keep our ear to the ground
ensure that employees are aware of these and of the action they may need to take to identify, mitigate and report instances wheresuch risks have been found. Vincent says that there are numerous ways to ensure that the board makes emerging risks a priority. There is nothing like showing executives what has gone wrong at a competitor to explain the seriousness of a similar occurrence in your own organisation.They understand the scaleof the problem and quickly, he says. Another good idea is to make it personal , he says. If you know what the objectives are of each senior manager, you have a much greater opportunity to show how a particular risk if not properly managed could stop them from achieving their goals at an individual level.That will gettheir attention. Justin Murrell, director of risk management and internal auditat Land Securities, a FTSE-100 commercial property company that focuses on the retail and London office sectors, alsobelieves that close interaction with the board is important in addressing emerging risks to the business. As I report directly to the chief executive and the executive committee and meet senior managers regularly, I get a veryclear sense of their objectives, their views on risk and which risks they are going to prioritise, he says. Over the past few years, Murrell says, there have been several important trends that the organisation has had to prioritise asrisks to its business.The first is the growthof online shopping and the rise of click and collect retailing, while mobile applications and Wi-Fi technology have also changed thepurchasing experience and forced the organisation to incorporate these new channels into its shopping centres. Consequently, the organisation monitors emerging risks through a mixture of
internal and external sources. We have a relatively small number of employees just over 600 people nationally which makes it easier for us to get people to feed in risk management information that we can use to get a better sense of consumer trends and which risks are becoming priorities. But we also make good use of the information we get externally. For example, we can measure footfall in our centres to check spending patterns and look at the revenues of the businesses based there to see how they are doing. We also look at social media to see whats being said about our centres, which gives us a much better idea of what the organisation may need to do in order to meetcustomers expectations. Itisvital that wekeep our ear to the ground. Another key characteristic of a successful risk identification process, according to many HIAs, is a close and collaborative relationship between internal audit and the risk management function. Chris Brookes, director of internal audit at global consumer packaging manufacturer Rexam, says that his department works with the risk team as part of the groups enterpriserisk management (ERM) function. This is a tight-knit group function that brings together risk leaders, managers and functional experts from the different parts of Rexams canning operations in North America, South America, Europe, Africa, the Middle East and Asia which represent 90 per cent of the business; and from the healthcare plastic packaging operations that make up the remaining part. About two years ago Rexam further refined its risk management processes when it established a risk leadership team comprising risk leaders, managers and functional experts from within the business, the group ERM function and internal audit. Its
It is not tenable for internal audit only to review what others are doing; it needs to get more directly involved in the risk process
brief is to consider risks in more than 20 countries, look at the management controls in place to mitigate those risks and then prioritise ones for further review and monitoring.The overall programme is then reviewed by the companys audit and risk committee on behalf of the board. Brookes says that regulatory developments and new consumer trends are two key areas in whichthe firm looks out for emerging risks. Legal changes concerning packaging are an obvious area of concern to us. We need to keep ontop of any such regulations that are likely to come into force in our countries of operation, hesays. But changing consumertrends also present challenges that we need to be responsive to, including changes in lifestyle, taste, nutrition and health all of which could lead toshifts in demand away from our products
Long-range forecast
The Met Office also applies a collaborative approach to help
identify and quantify the impact that emerging risks might have on the organisation. Its HIA, Jonathan Kidd CMIIA, says that its risk review committee helps to ensure that there is a collaborative approach among senior managers, risk managers and internal auditors to identify newtrends and suggest appropriate actions. He serves on the committee with senior managers and the head of risk management. Together they discuss which factors are most likely to affect corporate strategy and report their findings to the audit committee. Kidd says that the organisation conducts horizon-scanning exercises to see what the key emerging risks will be over the next year, two years and three to five years.There are four key areas of focus: operational delivery; financial impact; legal, compliance and regulatory; and reputational risk. We use a heat chart and map these risks, their likelihood and potential impact against our corporate objectives, Kidd says. Once these are prioritised, internal audit works with risk management to monitor andreview them and provide assurance overthe controls designed to mitigate them. Our findings are then passed on to the audit committee and the board.
Given the needs of the organisation, Kiddbelieves its necessary for internal auditto be more hands on in the risk identification process. Resources are tight and demands are increasing, he says. It is not tenable for internal audit only to review what others are doing; it needs to get more directly involved in the risk process. He adds: There is heightened demand atboard level for internal audit to work moreclosely with risk management so thatthey can form an integrated view. Internal audit does not own risk, but we needto be able to deliver our views and any informationwe have to hand on emerging risks, so that risk management can act on ourfindings. FOR MORE INFORMATION The institute will be running a course on Auditing enterprise-wide risk management in York on 22-23 May. Visit bit.ly/IIAERMauditing for details. Philip Summerton, Chris Brookes, Justin Murrell and Bruce Vincent are members of both the IIA Internal AuditLeaders Forum and the Heads ofInternal Audit Service (HIAS). JonathanKidd is a member of the HIAS.
27
EQA FAQs
The institute has completed external quality assessments (EQAs) in the insurance, manufacturing, charity, housing and education sectors so far. Members are telling us that their experience of these has been positive and we believe that focusing on continuous improvement is the right approach. It may sound obvious, but EQAs tell us the issues that internal auditors face every day. This knowledge influences our policy discussions, guidance and training. Its been interesting to see the reality of internal audit in the context of each organisation and how each function adapts to its environment, says Sarah Blackburn CFIIA, a former president of the institute and current member of the EQA review team. Itreinforces the wisdom of our Standards as principles, which can be interpreted in so many ways in different organisations yet fulfil the same essential purpose. The very fact that the Standards are flexible means that our reviews are examining the issues that matter and delving into the ways that internal audit makes a difference.
The institutes technical manager, Chris Baker CMIIA, explains the value of an external quality assessment, what happens during the review process and how best to prepare for one.
good governance and the role that internal audit can and should play. The emphasis of an EQA depends on what the client wants. Some heads of internal audit who are new in their jobs or in the process of a reorganisation may want it to focus on new ways of working. For others, conformance is the crucial concern.The point is that we are flexible and can tailor a review to specific circumstances without compromising our own objectives. Its therefore important during the planning stage for us to listen to clients expectations and talk through the practicalities after all, this is not meant to be an audit of auditors. As our portfolio of reviews grows, we are building our knowledge of what works in a range of organisations, having seen some interesting approaches to resourcing, measuring performance, reporting and taking action. Perhaps the most rewarding part of doing an EQA is acknowledging the good things we see and discussing new ideas and plans. It seems that everyone has something to offer in terms of insight and innovation, so its an objective of ours to build a comprehensive benchmarking database that we can share with members to enhance the professions overall performance.
28
Readiness reckoner
Kay Peacock, head ofcorporate audit services at the Atomic Weapons Establishment, describes some of thepreparations that her team made before its EQA in January, which contributed to a successful outcome: Doing a selfassessment based on all 56 IIA Standards can seem daunting atfirst. My advice would be to choose a few Standards with which you can readily identify conformance and record what you do. This soon gets you into a rhythm. We assessed each Standard on a separate page using a template and filed them all in numerical order. This helped to identify the evidence we needed. We also created an evidence file to link documents to Standards. In some cases one document applied to several Standards. This meant that the reviewers could easily access our files and understand ourapproach. Lastly, we incorporated action plans into the self-assessment so that we could discuss proposed changes with the review team. The reviewers were then able to acknowledge our achievements and confirm that we were on the right track.
The review team prepares two reports at theend of an EQA.The first is a summary of the key areas for development.This is of prime interest to the audit committee and senior management, enabling them to reflect on issues affecting governance, risk management and assurance. For this reason we generally present recommendations in order of importance, rather than in Standards order, although we will state our opinion about the overall level of conformance. The second report contains the detail of the review that informs our opinion and provides the basis of our recommendations. We use our self-assessment checklist, updated for the 2013 Standards, to consider how the internal audit activity interprets and implements each Standard. Where the review is a validation of a self-assessment, the process is much quicker and cheaper because the in-house team has done the groundwork.
Some HIAs who are new in their jobs orin the process of a reorganisation may want the EQA to focus on new ways of working
By their nature, full EQAs take longer probably about eight days and we may conduct these over a fortnight, looking at attribute Standards in the first week and performance Standards in the second. Thisshould give the internal audit team a bit of breathing space during the review.
29
interpretation to allow the internal audit activity to adapt to an organisations unique circumstances. Our self-assessment caters for this by listing options to implement the Standards, but these lists are by no means comprehensive and other solutions may have been devised. As long as we can see evidence that the approach works, well be able to conclude that there is conformance. To gain further assurance, we conduct face-to-face interviews with senior managers and audit committee members. Because these can take a bit of organisation, they tend to be done around the examination of internal audit documentation. We find that scope of work and internal audit planning is the best place to start, as this gives the reviewers an immediate view of the functions methods and resources, which will inform the interviews.
At present the quality services panel comprises a team of ten reviewers, who have many years experience at the top of the profession, so we are confident that we can cover most sectors. We have up-to-date knowledge of what it takes to run an effective internal audit operation and we can share good practice based on a broad base of expertise (a full list of reviewers on the quality services panel, along with other details about EQAs, can be found in the Our services section of www.iia.org.uk).You can expect a degree of challenge, therefore, but it will come through discussion and an appreciation of the day-to-day practicalities of running an internal audit department.
A world of knowledge
The IIA is always working to produce guidance aimed at helping internal auditors to stayat the cutting edge of bestpractice. Pauline Scott, technical coordinator, reports onthe technical teams recent work to support members.
30
f youve ever wondered what kind of information and assistance theinstitute can offer its members, or youve considered getting in touch with us to help with a query or concern about your work, then it might help you to get an idea of the guidance provided by the IIA technical team. Requests for information come in to us every day and our new website has made iteven easier for members to submit queries (www.iia.org.uk). There is a specific Ask the resources team page, while every page in the Resources section has a column on the right-hand side where you can enter a question and provide contact details, no matter which resource you are looking at. This is already having an effect: we are receiving more queries than the 30 we averaged each month before the new site went live. The subjects of these questions vary widely, but some of the most popular topicsare: sampling, assurance mapping, performance measurement, risk-based internal audit and audit charters. Some of these are answered in the You asked us section of this magazine on page 32. A few may also be used as the basis of extended Q&A-style guidance documents. Our mostrecent publication of this kind is aboutthe audit universe and can be found atbit.ly/IIAauditUniverse.
You will also see on the new website that instead of publishing guidance as a PDF file we are now providing it on the site itself. Weaim to have all the 2012-13 guidance online soon. This will make it simpler for us to update and more straightforward for members to browse the full range of guidance. It should also make it easier to locate and print guidance on particular topics using our search engine and Google. With the help of volunteers through ourguidance working group, we produced five articles last year offering tips on communication results, audit engagements, writing about risks, internal audit strategic plans and performance management. Thesecan all be found under the Resources tab on the website. We have also prepared longer pieces of guidance on: Solvency II the role of internal audit. Supervising audit engagements. Providing ethical assurance to boards. Influencing skills. Working with stakeholders. Mentoring for internal auditors. Using coaching to develop internal auditors.
In addition weve produced podcasts onquality, international standards, reputational risk and communication. Thisyear, while we are continuing to develop more material of this kind, we are also in the process of implementing a newguidance strategy. This involves looking at how we define and prioritise the information we provide as well as how we publish and communicate it. As part of this process we are refreshing and reissuing some of the older guidance. It is important that we know what members want and what you think of the guidance we produce, so please let us know (0845 883 4739; technical@iia.org.uk). Anddotell us if there is something that you would like to get involved in were always looking for volunteers. We want to know what you think and we need your help. Thisis the only way we can continue to improve what we are doing and produce the quality and quantity of guidance that we do.
Are you a professional internal auditor holding either the IIA Diploma (PIIA) or IIA Advanced Diploma (CMIIA)? Are you just starting out in your career in audit?
If so, contact BHBi to find out how the BHBi Triple Qualification could help you increase your professional standing and become more marketable. BHBis Triple Qualification comprises of: CMIIA/PIIA Award Chartered Management Institute (CMI) Level 7 Diploma in Strategic Management & Leadership Chartered Manager (CMgr) status
Chartered Manager is the highest status that can be achieved in the managerial profession. Awarded only by CMI, it is recognised throughout the public and private sectors, across all management disciplines.
If you hold the CMIIA Award or the PIIA Award already, take the fast track route to enhanced CPD and further qualifications and achieve: The CMI Diploma in Strategic Management & Leadership Chartered Manager status If youre just starting out in your career in auditing you can study for your professional qualifications with BHBi and have the Triple Qualification built into your training! This will help you become more marketable, enhance your career prospects and gain access to professional networks whilst also demonstrating a high level of strategic competence and audit and managerial professionalism. For a confidential discussion on how BHBi can help you achieve more from your professional auditing qualification contact: Mark Barnes Tel 07906972147 Email markbarnes@bhbi.co.uk Paul Haley Tel 07973911317 Email paulhaley@bhbi.co.uk
www.bhbi.co.uk/triple-qualification
BHBi has been quality assured and assessed by the CMI to offer the fast track route to enhanced, continued professional development. Offering a wide range of practical professional resources, CMI membership will not only enhance your employability, but help take your professional practice to the next level and beyond.
PREMIER PRACTICE
You asked us
Q&A
Our technical helpline provides valuable advice to members on a host of professional issues. Hereare some of the questions youve submitted recently.
A. Cipfas guidelines are still applicable. While the public sector has adopted our Standards, the previous internal audit standards were similar, so the change has been evolutionary rather than revolutionary.There is a document in our resources library, What every director should know about internal audit: essential information for boards and audit committees , that might be useful. Q. I have been asked by my audit committee to help ensure that it complies with the IIAs requirements for reviewing the effectiveness of internal audit. I cant find any such requirement on the institutes website. Can you advise me whether there are any and, ifthere are, where I can find a copy? A. The basic requirements set out in the International Standards (1300) are that internal audit should have a range of internal and external measures of assessment for reviewing effectiveness. From an internal point of view, that means performance measures, supervision, self-assessment against the Standards and reporting of performance. Externally, youare required to have a fiveyearlyreview against the Standards by an independent reviewer. The guidance in the institutes resources library entitled Qualityassurance and improvement programmes gives more detail, which youcould share with your audit committee. Thereis also a self-assessment checklist atbit.ly/QualityServices, along with the services we provide in this area.
32
Q. We are planning to develop a standard audit programme to test the various self-assurance processes (second line ofdefence) established by the business. Im seeking guidance that would be applicable to such an audit. I havent been able to find anything directly relevant on the IIAs or IIA Globals websites. Is there any material available that could serve as a starting point for creating such a programme? A. There are three pieces of guidance in the IIA resources library Coordination of assurance services , Coordinating risk management and assurance and Relianceby internal audit on other assurance providers that may be useful. Theres also an external quality assessment checklist at bit.ly/IIAselfAssessCheck. Theperformance standards may provide some guidance and a format to work to. Other things to consider include the adequacy of the work, the depth of coverage, the level of competency, the approach taken and the key risks covered. Key questions to consider should include: is it done on a regular basis? Is there enough documentary evidence? Is there sufficient testing? Q. In the light of the new public-sector audit standards, Im reviewing our auditservices charter. I also want to review the audit committee terms ofreference. Is there any new guidance for audit committees in local government that reflect the new standards? If not, are Cipfasgood-practice guidelines still the most applicable?
Q. I want to overhaul the internal audit manual Ive inherited. It would be useful to receive a copy of any versions that have been provided to the institute for sharing. Can you help? A. Unfortunately, there is no specific standard or guidance on the content of internal audit manuals.This is mainly because they are working documents that are unique to each internal audit activity. Having said that, there are some common features, including the internal audit charter, organisational structure, policies and procedures, quality-control arrangements and reporting mechanisms. If you cross-check your existing manual or ideas for a new one against the new International Standards, youll be on the money.You could use the Forums pages of the Resources section of www.iia.org.uk to find people willing to share information.You could also visit bit.ly/IIAglobalOpsManual on the IIA Global website. Alternatively, simply typing internal audit manual into Google will produce quitea lot of useful material. Got a question? Contact Chris Baker on the IIA technical helpline on0845 883 4739 or email technical@iia.org.uk
Achieve a full professional IIA qualification through a postgraduate study programme with the Centre for Internal Audit, Governance and Risk Management at Birmingham City Business School.
Students attend our DUAL AWARD programme which offers exceptional value for money, through the provision of focused training which yields proven success and delivers a practical and career enhancing experience. We offer a unique programme of training which delivers membership of the Chartered Institute of Internal Auditors, subject to completion of the appropriate experience journal, in one of three modes: full time, block release or flexible learning*. The programme of study provides: - Single assessment for each module using both assignment and examination methods - Teaching that reflects the IIA syllabus at Diploma and Advanced Diploma levels, as well as adding value through real world industry and professional experience - Significant visiting practitioner involvement in the delivery of each module - A cost effective pathway to internal audit career development. Annual course fees for September 2013 and January 2014 enrolments are 7,500 (full time) or 4,500 (part time) and include all learning materials and subscription/examination fees payable to the IIA. For further information, please visit our website: www.bcu.ac.uk/audit or contact us directly on mscaudit@bcu.ac.uk or 0121 331 6595 / 5623.
* Students may opt for a staged entry to study that recognises existing achievements and provides exemptions for relevant professional qualifications and will allow full qualification of CMIIA, subject to completion of the appropriate experience journal.
Full details can be found on the website and you can register online at www.iia.org.uk For further information please email ciiamids.event@gmail.com
Additional news, features and views are posted online all the time. Go to www.auditandrisk.org.uk to see whats new.
UPDATE
Renew your membership
Your membership of the Chartered Institute of Internal Auditors demonstrates your commitment to the profession and gives you unlimited access to extensive internal audit resources. By renewing you will secure your place in the internal audit community and ensure that you are best prepared for todays internal audit challenges. Remember that, if you hold an IIA designation (CMIIA, PIIA, IACert, QiCA, CFIIA or FIIA) and wish to continue using it, you must maintain your membership. Renewal notices were sent to members in March. Now is a good time to ensure that the IIA has the correct contact details for you. To do so, please contact customer services. If you have not received your renewal, contact the membership team on membership@iia.org.uk or call 0207498 0101. Please note that members through an employers group scheme agreement will not receive a renewal notice. Subscription rates from 1April 2013 to 31 March 2014 are set out below and members can pay online.
2013-14 Fellow & CMIIA Voting Affiliate Student Retired 223 212 169 111 50
We round up the latest business and regulatory news to affect the internal audit profession.
34
35
The IIA is holding the largest annual gathering of internal auditors next year. It needs your help to make this an occasion to remember.
planning for the conference and it will be asking for your support very soon. Dont forget to visit www.iia.org.uk for regular updates about the event.You can also follow the IIA on Facebook, LinkedIn and Twitter for news and exclusive offers. FOR MORE INFORMATION If you are interested in speaking atthe event, nominating someone you know or volunteering your time, contact Ann Cantillon at ann.cantillon@iia.org.uk
Congratulations to the IIA members below, who were successful in the November 2012 exams.
The IIA is the only organisation offering recognised professional qualificationsfor internal auditors in the UK and Ireland.
Ackred, Matt R Aladejebi, Tolulope Arrowsmith, Steve Aziz, Nadeem I Baird, Barbara Barker-Arnone, Emma Bilsborough, Neil J IIA Advanced Bolton, Melissa M Diploma exams Breach, Paul J completed Brown, Rebecca L Byers, Matthew J W Ashmore, Victoria Cave-Ayland, Charlotte Colyer, Gary C Binney, Myles D Cooper, Richard B Bradshaw, Heather IIA IT Auditing Coulthard, Rachael Burrage, Peter Certificate exam Cowie, Amanda J Caddle, Mark S completed Dadhania, Jasmine Cameron, Angela Dadrah, Inderdeep Chalmers, Amanda Ashford, Natasha Evans, Saida Chumun, Mangesh Burns, John J Fanning, Nicholas R Clarke, Paula Cahill, Donal P Fittall, Rachel E Clarke, Steven Clarke, Stephen W T Flaherty, Alice Coveney, Paul D Cox, Leisyen Franklin, Andrew Davies, Victoria A Free, John M Shelton, Timothy C Goold, Anita C Spanner, Michael W Del Greco, Gabriella A Griffiths, Emma E Stanbury, Stephen P Dennis, Hannah E Haggerty, Robert J Whyte, Angela C Gilchrist, Laurie J Hainsworth, Richard A Gough, Paul Harris, Heather M C Hall, Mabel M Hay, Jason The following Hammond, Angela D M Hayre, Baljit students Hirst, Matthew Haywood-Evans, Andrew successfully Jackson, Craig S Howe, Sarah J completed the Jonas-Nartey, Jocelyn Jeffree, Andrew J following exams in Jones, Myra L Kaur, Sharonjeet November 2012: Keles, Mert Kendall, George P1 The Internal Kirtley, Robert B Kent, Benjamin AuditEnvironment Lapish, Kirstie E Long, Duncan Le Roux, Lone K Lucas, Kane A Abralava, Nini Maggs, Ian P Magog, Catherine E Aitken, Anne Majury, Stephen J Marshall, Imogen Al Ruqeishi, Yasir Manson, Christopher J Nicholson, Christian M Allen, Lisa M McClurg, Alan D OReilly, Elizabeth Amber, Tayba McDonagh, Philip Paling, Megan L Armstrong, Darren Mills, Catherine A Penlington, Mark J Baird, Barbara Mulligan, Kevin Baker, Donna M Shepherd, Douglas C Mulvey, Keith Brooks, Francia J Onasanya, Ayodeji Sloan, Linda Clegg, Richard J Owen, Gillian D Spencer, Jill Cowie, Amanda J Pap, Timea Tang, Adrian Dimopoulos, Georgios Parnell, Fiona J Tariq, Moazzam Doran, Fiona Pong, Jessica SRS17337-BarSim-BannerStrip-May12:SRS17330-BarSim-DPS-Mar11 Thomas, Craig Dunn, Debra K Powell, Gemma K Tyrrell, David Fanning, Nicholas R Proctor, Cassie Valenti, Nicoletta T Finch, Susan Rawal, Sohal Wagner, Svetlana Firth, Adam Redward, Tim J Winn, David R Fyhr, Jess Rees, Nerys E Wood, Matthew Goodredge, Faye Robb, Daniella L M Grun, Jakob J Woodward, Julie L Savage, Mark
In November 2012 the following students successfully completed the examined element of the IIA qualifications:
Smith, Frances Smith, Lisa A Somerville, Sheryl Sully, Adam D Swift, David Thomas, Alex Vaughan, Noel P Velvick, Jonathan Virketyte-Lleshi, Inga Ward, James L Webb, Joseph Whitlam, Daniel J Wilkin, Gary A Wong, Maurice Wykes, Frances
36
Head, Steven Hedges, Sophie Hegarty, Caroline E Henderson, Tracy A Hood, Harvey Horsman, John Hurd, Samuel R Jeffree, Andrew J Kapembwa, Tuntu S Khanom, Kamrun King, Garry Lee, Anne Lee, John P Lyons, William M A Marco, Nagore McNeill, Angela Minina, Irina Mohal, Nazmin R Mulvey, Keith Nobbs, Kim R Norman, Suzanne P Page, Michael Pendleton, Jacqueline Perkins, Tess Potter, Sarah L Rees, Andrew Ritchie, Martin Roberts, Linsey Rowbotham, Thomas R Sheldon, Jennifer Smith, Lauren Somerville, Sheryl Starkie, Emma Starr, Carolyn F Swift, Louise M Symons, Andrew J Vicary, Yvonne J Webb, Joseph Wilson, Charlotte Winn, Alison J Yates, Sarah
Hainsworth, Richard A Harris, Heather M C Hay, Jason Hayre, Baljit Keenan, Ciara Keles, Mert Kirtley, Robert B Koterba, Silvan M Mahmood, Nassir M Manson, Christopher J Marco, Nagore McClurg, Alan D McDonagh, Philip Mills, Catherine A Moore, Jacquelyn Mulligan, Kevin Nobbs, Kim R OHalloran, Brendan C Parnell, Fiona J Perkins, Tess Pong, Jessica Proctor, Cassie Robb, Daniella L M Rollitt, Sarah A Smith, Frances Somerville, Sheryl Spurrier, Sarah E L Starr, Carolyn F Sully, Adam D Swanney, Mark Thomas, Alex Virketyte-Lleshi, Inga Watts, Jenny Wykes, Frances
P3 Internal AuditPractice
Abbas, Samuel M Abbott, Rachel Adams, Nicola C Allen, Lisa M Armstrong, Katie Baker, Donna M Barratt, Phillip A Bartlett, Sloane M Begum, Laila Brook, Rebecca J Brown, Rebecca L Bruce, Jennifer Chiocca, Michaela Chivers, Francesca Cuthbert, Sinead Dainton, Page 1 Suzanna A M Diable-White, Emma N Dimopoulos, Georgios Dunn, Jennifer L Edwards, Gareth Edwards, Matthew J C Eldridge, Steven D Evans, Saida
Finn, Angela Free, John M Fuller, Daniel Gando, Loide Giblin, Marie Graffham, Alice Grant, Naomi Hampton, David Hazell, Stephanie V P Head, Steven Heaven, Gareth J Hegarty, Caroline E Henderson, Tracy A Herrington, Joanna Hodgson, David M Hood, Harvey Hussain, Belal Hyde, Darren J Jones, Emma F Kilcullen, Annette King, Garry Koterba, Silvan M Macdonald, David Margreaves, Michaela Martel, Gina Mboa, Marcel McCabe, James A McNeill, Angela Meates, Alan Mistry, Jaina Mulvey, Keith Nour, Khadija OHalloran, Brid OMahony, Rose Page, Hannah L Potter, Neil Rees, Nerys E Ritchie, Martin Rose, Anthony D Saffin, Alexis G Sands, Martin J Scattergood, Paula Shah, Nalin Sharp, Abigale Shufflebotham, K T Symons, Andrew J Taylor, Julie Taylor, Siobhan Trenchard, Charlotte Tuson, Richard Vaughan, Noel P Vhora, Salma Walker, Karen J Welsh, Robert Wicks, Laura E Wilby, Leanne Williams, Nanette R Wilson, Daniel J Wyatt, John M
Working with aspiring members of The Chartered Institute of Internal Auditors since 1989
Ackred, Matt R Amos, Martin J Arrowsmith, Steve Baldwin, Tanya Barker-Arnone, Emma Bartlett, Stuart E Bessell, Robert Binnie, Andrew P7 Internal Audit Blahyj-Murfitt, V M Practice Case Study Boughton, Joanne E Clements, Sam O Aladejebi, Tolulope Colbert, Suzanne J Aziz, Nadeem I Couch, Nathan Cave-Ayland, Charlotte Coulthard, Rachael Flaherty, Alice Cowie, Amanda J Lapish, Kirstie E P5 Corporate Cull, Barrie A Nguyen, Dylan Governance Cuthbert, Sinead Ogunbona, Patience and Risk Dadrah, Inderdeep Savage, Mark Management Davidson, Blaine S Schembri, Johann Davies, Rachel Smith, Lisa A Abbas, Samuel M Diable-White, Emma N Whitlam, Daniel J Acton, Amanda Evans, Saida Bilsborough, Neil J Eyre-Walker, Louise Breach, Paul J Finch, Susan Brown, Rebecca L M1 Strategic Flaherty, Louise Bruce, Jennifer Management Free, John M Byers, Matthew J W Garner, Gemma L Clements, Sam O Ali, Mohammed K Goldsmith, Lorna C Doyle, Allan Atkinson, Andrea A Goold, Anita C Duffield, Deborah N Bennett, Alison A Griffiths, Emma E Dunford, Wayne L A Bennett, Helena Haggerty, Robert J Edwards, Gareth Binney, Myles D Hay, Fiona Eldridge, Steven D Braamse, Jacques Hay, Jason Fisher, Alexa C Bradshaw, Heather Hayre, Baljit Franklin, Andrew Briers, Imogen Hedges, Sophie Free, John M Brown, Steven E Holden, Russell Hampton, David Chalmers, Amanda Howe, Sarah J Haywood-Evans, Andrew Charlton, Alison R Jeffree, Andrew J Heaven, Gareth J Clewes, Joanne E Kaur, Sharonjeet Hood, Harvey Coveney, Paul D Keles, Mert Kilcullen, Annette Dennis, Hannah E King, Maria A Larcher, Timothy A B Elliot Cartwright, Lee B Kirtley, Robert B Lewis, Katherine J Flint, Paul A Laming, Adrian P Long, Cheryl Frankham, Barry P Le Roux, Lone K Majury, Stephen J Fuller, John R Macdonald, David Meates, Alan Gilchrist, Laurie J Maggs, Ian P Morson, Claire Graves, Sarah L A Majury, Stephen J OMahony, Rose Hanson, Barry N McDonagh, Philip Pendleton, Jacqueline Jackson, Christopher Mills, Catherine A Purdy, Sharon E Johl, Gursimran K Minina, Irina Rees, Nerys E Jonas-Nartey, Jocelyn Moorghen, Ming Reid, Oliver Lambert, Paul Morris, Christopher Rimmington, Mal Marshall, Imogen Murray, Rachel SRS17337-BarSim-BannerStrip-May12:SRS17330-BarSim-DPS-Mar11 Robinson, Jonathan E Matkin, Katerine M Neal, Gareth Sands, Martin J Mistry-Chauhan, Gita Norfield, Mark Sethi, Nittan Moore, Christopher D OKane, Ryan Smith, Adrian B Ni, Jun Feng Onasanya, Ayodeji Owen, Gillian D Smith, Kimberley A Pope, Robert Pap, Timea Swanney, Mark Reed, Philip Pong, Jessica Swift, David Robinson, James
Powell, Gemma K Proctor, Cassie Rawal, Sohal Redward, Tim J Robb, Daniella L M Rollitt, Sarah A Simoes, Pedro Sully, Adam D Taylor, Julie Telford, Chris Vaughan, Noel P Vose, Kathryn White, Jessica Wilkin, Gary A Wong, Maurice Yang, Ruoliu
Symons, Andrew J Telford, Chris Trenchard, Charlotte Vaughan, Noel P Velvick, Jonathan Ward, James L Webb, Joseph Wicks, Laura E Wilby, Leanne
Semken, Timothy Shield, Bernadette J Stenner, Mark Tang, Adrian Thomas, Craig Thompson, Sarah Thrupp, Michael J Towse, Mark N Wain, Ashley A Williams, Michael J Wood, Chris
M2 Financial Management
Ali, Mohammed K Bartholomey, Jennifer Bennett, Alison A Binney, Myles D Bolster, Peter Brown, Steven E Caddle, Mark S Cameron, Angela Clarke, Paula Clarke, Steven Clewes, Joanne E Comley, Wayne Davie, Gemina Del Greco, Gabriella A Dixon, Joanna Ford, Robert S Fraser, Heather Gibson, Gary Hall, Mabel M Harrison, Andrew Hirst, Matthew Hussain, Zakir Jackson, Craig S Johl, Gursimran K Kailey, Rupinder Khan, Khadim Lambert, Paul Long, Duncan Magog, Catherine E Mearns, Vicki Meehan, Anthony Nicholson, Christian M Paling, Megan L Paul, Jennifer Robinson, James Rodgers, Sarah K Sloan, Linda 17/4/12 12:11 Spilsbury, Grant B Stenner, Mark Tang, Adrian Valenti, Nicoletta T Walsh, Susan Winn, David R Wood, Matthew
Clarke, Paula Clarke, Steven Coleman, Susan Coveney, Paul D Davies, Victoria A Davis, Paul R Del Greco, Gabriella A Dennis, Hannah E Edwards, Karen Fisher, Karen Gilchrist, Laurie J Gough, Paul Harrison, Sharon F Heather, Alison Hussain, Zakir Jackson, Craig S Jonas-Nartey, Jocelyn Jones, Myra L Kendall, George Kent, Benjamin Long, Duncan Lucas, Kane A Mistry-Chauhan, Gita Ni, Jun Feng Nicholson, Christian M OReilly, Elizabeth Otero Tourino, Pilar Paling, Megan L Patel, Jashita S Penlington, Mark J Ravindranathan, Ramah Seymour, Rebecca Shepherd, Douglas C Sloan, Linda Spencer, Jill Tang, Adrian Tariq, Moazzam Thompson, Sarah Tyrrell, David Valenti, Nicoletta T Veale, Peter Wagner, Svetlana Winn, David R Woodward, Julie L For more information on the IIA or its qualifications, contact the institute on 0845 883 4739, email info@iia.org.uk or visit www.iia.org.uk Disclaimer: although every effort has been made to ensure the accuracy of the above information, the Chartered Institute of Internal Auditors accepts no responsibility for any error or omission.
37
Barron, Page 1 Francesca H Belgrave, Natasha Binney, Myles D Brooke, Simon Burrage, Peter Burrows, David Caddle, Mark S Cameron, Angela
Working with aspiring members of The Chartered Institute of Internal Auditors since 1989
Events
For further information or to book, click the Training and events tab at www.iia.org.uk, email trainingandevents@iia.org or call 020 7498 0101. IIA regional events and special-interest groups should be booked directly with the organiser using the contact details provided.
May
38
14-16 15 16
23-24 24
18-20
IIA Scotland: risk management tools / business continuity planning software, AGM and annual dinner Edinburgh
21
IIA South West: an update on audit and risk latest trends St Peter Port
Lean auditing delivering added value from audit in an efficient way York
June
4-5 6-7 6-7 7
IIA award in effective delivery ofaudit and assurance LONDON
25-26
10
16-17 21
26-27 27-28
IIA regions and specialinterest groups may include details of their upcoming events by contacting trainingandevents@iia.org.uk
21-22 22
July
2-5
Introduction to information systems auditing London
Insurance Internal Audit Groupquarterly seminar (for information, email contactus@iiag.org.uk) London
The deadline for the July/August issue of Audit & Risk is 17 May.
22-23
12-13
P P P
P P P
The highly flexible design and dynamic working view of TeamMate CM allow for quick access to relevant data and for performing multiple activities from a single screen. Designed and developed with extensive input from experienced compliance professionals, it can be used as a stand-alone solution or seamlessly integrated with TeamMate Audit Management System.
Student noticeboard
Student noticeboard
Essential information for exam candidates. Visit the Student information centre at www.iia.org.uk for updates.
be available on the Exams pages in the Students section of www.iia.org.uk before the end of Tuesday 7 May. have affected their performance on the day will be subjected to rigorous scrutiny. Students who wish to submit details to the institute of extenuating circumstances occurring on the day of the exam must do no later than two weeks after the exam if these are to be accepted. This correspondence must be accompanied by evidence in accordance with the requirements of the policy.
OU accreditation
Since 2007 the Open University has formally recognised that the IIAs professional qualifications are postgraduate level, with up to 60 general credit rating points for each of the IIA Diploma and the IIA Advanced Diploma, and up to 30 for the IIA Qualification in Computer Auditing. Members can use these ratings to support an application for another qualification that they wish to study for at a higher education institution. They may also take advantage of awards of specific credit towards particular OU distance-taught courses. Visit www.iia.org.uk/qualifications/ open-university-accreditation for further information.
Extenuating circumstances
Candidates wishing for extenuating circumstances to be considered in relation to their exams should ensure that they read the IIAs policy in full before making a submission. The test applied for the consideration of claims will focus on any effect the extenuating circumstances could have had on the day of the exam. Circumstances that have affected a candidates preparation weeks or even months before the exam and which are claimed to
Case-study materials
The case-study materials for theIIA Diploma and the IIA Advanced Diploma are due to
Sponsored by
BOOK NOW. Both individual tickets and corporate tables are available. Contact Kim Reed to reserve a place for you and your team. Tel: 020 7819 1940 or email: events@iia.org.uk
These are just a selection of opportunities we have to o er, visit hays.co.uk/auditandrisk to search for your next big move.
hays.co.uk/auditandrisk
19/04/2013 16:15
Internal Auditor
(25,666 to 33,481 Inclusive of High Cost Allowance) 37.5 hours a week Permanent We have an exciting and challenging opportunity within our internal audit department for a career minded individual seeking to develop and enhance their internal audit experience. This is a key role within the department and requires a high level of integrity, objectivity and competency. Guy s and St Thomas is one of the largest hospital trusts in the country, with around 12,500 staff; an annual turnover of more than 1 billion; and 1.6 million patient contacts a year. Our hospitals have a long and proud history and have been at the forefront of medical progress and innovation since they were founded. We also provide specialist services for patients from further a field. You will undertake a variety of interesting risk based audit assignments; covering all aspects of the Trust s business, including financial and non-financial activities. You will have experience of internal auditing, including planning, testing and reporting. Ideally, you will have made progress towards a relevant qualification. For an informal discussion, please contact Rosemarie White (020 71884139) or Matthew Wood (020 71884125). To apply, and view the job description and specification, please visit our website http://jobs.gstt.nhs.uk and quote job reference COF1138. For further information about the Trust please visit our website at www.guysandstthomas.nhs.uk Closing date for applications is 22nd May 2013.
Our excellent benefits include final salary pension scheme. Please visit our website to find out more. Equality of opportunity is our Policy.
tel 020 7819 0101 fax 020 7978 2492 web iia.org.uk
This is a new position in a well known asset management group. They are seeking a part or recently qualified auditor with experience gained within the asset management industry, custody or investment banking/trading. The role covers all aspects of the funds business including equities, fixed income and alternative investments. You should have excellent soft skills and be able to foster good business relationships.
Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte aw@barclaysimpson.com
www.barclaysimpson.com/interimsolutions
Visit
www.barclaysimpson.com
to access a vast range of free online resources
Search hundreds of audit vacancies Find your current market value Information on where best to live and work Focus on Computer Audit Latest information on qualifications
Barclay Simpson has been awarded the Diversity Assured Recruiter accreditation under the RECs Diversity Initiative.
Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW bs@barclaysimpson.com www.barclaysimpson.com
www.barclaysimpson.com