I s s u e 11 M a y / J u n e 2 0 1 3

The magazine of the Chartered Institute of Internal Auditors

Black gold standards Armand Lumens,

chief internal auditor atShell, explains how a constant flow of new recruits from the business helps internal audit generate value

I s s u e 11 M a y / J u n e 2 0 1 3

Supplies surprise? What the horse meat scandal tells us about the risks of long supply chains C-suite careers: why internal audit offers useful experience for a job on the board Early-warning system: how to spot the next big risk before its too late

a. a thorough reversal of outdated technology and complete adoption of TeamMate b. a fundamental change in your audit approach; especially the overthrow or renunciation of one system substituted by TeamMate c. a changeover in use or preference especially in Audit Management Systems

TeamMate is still the Innovation Leader after all these years:

The first Windows based Audit Management System in the world The first Audit Management System to introduce Smart Device functionality

<the TeamMate Revolution>

The Global Leader in Audit Management

Risk Assessment Risk Based Planning Scheduling Extensive Audit Content Electronic Workpapers Surveys Checklists Image Scanning & Annotation Automated Report Generation Full Issue Remediation Tracking Time & Expense Tracking

# of audit departments adopting TeamMate each day # of Languages in which TeamMate is available # of Countries in which TeamMate is Licensed # of auditors using TeamMate daily # of CPD hours delivered in past 3 years

1 14 105

90,000 104,000

020 7981 0566

Contents
16 12

I s s u e 11 M a y / J u n e 2 0 1 3

The magazine of the Chartered Institute of Internal Auditors

Black gold standards Armand Lumens,

24
I s s u e 11 M a y / J u n e 2 0 1 3

chief internal auditor at Shell, explains how a constant flow of new recruits from the business helps internal audit generate value

18

Supplies surprise? What the horsemeat scandal tells us about the risks of long supply chains C-suite careers: Why internal audit offers useful experience for a job on the board Early warning system: How to spot the next big risk before its too late

Published for the Chartered Institute of Internal Auditors byCaspian Media Ltd, Unit G4, Harbour Yard, Chelsea Harbour, London SW10 0XD 020 7045 7500 Editors Keith Ryan keith.ryan@caspianmedia.com 020 7045 7543 Ruth Prickett ruth.prickett@caspianmedia.com 020 7045 7572 Chartered Institute of Internal Auditors info@iia.org.uk www.iia.org.uk 020 7498 0101 Subscriptions membership@iia.org.uk 020 7498 0101 Advertising Ian Mehrer ian.mehrer@caspianmedia.com 020 7045 7596 Creative director Nick Dixon Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited. ISSN 2048-8408.

Front
3 The IIA view
From the chief executive, Ian Peters.

Features
12 He can be sure of Shell
Armand Lumens, chief IA at Shell, explains how he zips up internal audit across the business.

REGULARS
30 Tools for the job
A guide to the IIAs guidance for members.

5 World view
From Richard Chambers, IIA Global president andCEO.

32 You asked us
Experts answer readers technical questions.

16 Command of chain
How to monitor risk along extended supply chains.

7 View from the top

From Adrian Thompson, chief internal auditor at Norfolk County Council.

34 IIA update
Institute news and membership matters.

20 Moving up
Two former internal auditors reveal how this experience helped them apply for executive roles.

36 Exam results 38 Courses and events

Key training dates.

8 Update
The latest news affecting the profession.

40 Student noticeboard
Essential information for exam candidates.

10 Reportage
The findings of PwCs latest annual global CEO survey.

24 Early-warning system
How to get future risks on your organisations radar.

28 EQA FAQs
Why have an external quality assessment?

We post more news and articles online every week. To access these, visit www.auditandrisk.org.uk

WE KNOW AUDIT
TrUsTED INTErNAL AUDIT sOfTWArE
risk assessment >> scheduling >> workpapers >> reporting >> issue tracking

As an internal audit management software pioneer, Thomson Reuters Accelus delivers an end-to-end audit management solution with the best-in-industry implementation. Trust your investment in our proven software and reliable implementation, training and support. Developed by internal auditors for internal auditors, Thomson Reuters Accelus internal audit software improves audit efficiency and productivity throughout the entire audit process including risk assessment, scheduling, workpapers, reporting and issue tracking, helping thousands of corporate and government clients.

For more information: accelus.com/audit

Thomson Reuters. GRC00230

REUTERS/STEPHEN HIRD

View from the IIA

Corporate morality A dose of Salz

If the result of the Salz review is a sounder corporate environment at Barclays there may be lessons for other organisations, regardless of their sector. So where does internal audit feature in this?
Ian Peters, chief executive of the IIA.

The Salz review of Barclays culture and business practices, published in April, made 34 recommendations to improve the corporate environment at the bank. The review suggests that the culture change needed at Barclays can be created by implementing Anthony Salzs package ofmeasures, alongside developing a clearersense of common purpose and well articulated and understood shared values. Salzs recommendations embrace many aspects of Barclays business practices, processes and policies, including standards of professionalism; employee engagement; values and human resource management; customer focus; board qualityand board information quality; and executive team cohesion. On the principles of pay, Salz advises that pay policy should take account of the reputational and behavioural implications ofpay, as well as reflecting individual talent and the persons contribution to the bank. Inparticular, the remuneration of employeesin control functions of the bank should contain a higher proportion of fixed rather than variable remuneration to avoid, for example, potential conflicts of interest. Theserecommendations are consistent withthe draft recommendations of our own committee on effective internal audit for financial services.

In both cases the purpose is to ensure that pay reflects and encourages high professional standards, commitment to company values and a focus on long-term company performance, as well as attracting the skills and talent needed for the job. While many people may see pay as the most important factor to get right in the short term to change culture, the report acknowledges that a transformation of the type needed at the bank will take time. But if the result of the review is a sounder corporate environment at Barclays there may be lessons for other organisations, regardless of their sector. So where does internal audit feature in this transformation? One of Salzs recommendations relates directly to internal audit. Recommendation 33 states that internal audit should ensure the effectiveness of its audits and have scope across the whole business.The internal audit charter should cover all aspects of governance, control and risk culture. Ensuring the effectiveness of internal audit requires complete independence and objectivity and therefore greater influence. But in order to achieve this the corporate environment across the organisation has to be right. Making it right relies on the

Recommendation 33 states that internal audit should ensure the effectiveness of its audits and have scope across the whole business

implementation of Salzs other wide-ranging recommendations. Internal audit can be so much more effective when there is a clear and ethical tone at the top, an open culture and a cultural emphasis onthe continuous improvement of control over risk and behaviour. Salzs recommendations to the Barclays board set out to achieve this. Internal audit can support the board by helping to drive such a culture if it has the right position within the organisation in terms of its influence and objectivity, scope to work across the entire organisation and the right resources. As a package of measures, Salzs proposals could mark a new era for corporate morality, ethics and business practice, and I hope his review prompts discussions not only in banks and organisations in other parts of the financial services industry, but also in other sectors. Such debates, if they lead to a focus on improving the corporate environment across an entire organisation, can only be good for our profession and enable it to deliver its full potential.

HAVE YOUR SAY

Post your comments about this article or any of the issues raised at www.auditandrisk.org.uk

NE W

The Swiss Army Knife of Software

Symbiant Management Suite

Supplied as a fully managed cloud based secure solution, with prices starting at only 200 per month all in. Free Setup, no contract period, no hidden charges.
Symbiant Management Suite - The total management solution Management Suite is a unique modular solution that allows the whole workforce to collaborate on Audit, Risk and Compliance issues including Basel and SOX Risk, Audit, Compliance, CSA, Project, Policies, Documents, Governance, Risk Registers, Risk Indicators, Self Assessment, Incident Reporting, Performance Indicators, Customer Service, Action Tracking, Audit Planning, Key Risk Indicators, Controls, Surveys and more

14
D WINNING SOFTWARE OF AWAR

To find out more or to arrange a free trial visit:

www.symbiant.co.uk

Trusted by names you know from charities to banks, government to PLC.

View from IIA Global

Ethics Where are you on the continuum?

If internal audit is to provide the additional value that is such an important part of the support it provides in organisations, we need to do more than just be ethical.
Richard Chambers, president and CEO of IIA Global.
That every auditor should maintain the highest ethical standards would seem to go without saying. But what do we mean by maintain the highest ethical standards? Most would respond that it is acting in an ethical manner; doing the right thing. But even that leaves questions about how much internal audit should actually be doing. If internal audit is to provide the additional value that is such an important part of the support it provides in organisations, we needto do more than just be ethical . Toincrease our understanding of what this means, I have developed an ethics continuum.This continuum shows the broad range of roles that internal audit can take in its approach to ethics: accomplice, spectator, referee and conscience. The role of accomplice is the worst-case scenario.This is the situation where the auditor doesnt merely turn a blind eye to an unethical situation; he or she actually becomes complicit in the misdeed. While we would like to think that internal auditors are above such behaviour, history has shown that even the most high-minded can become entangled in such improprieties. The next role on the continuum spectator exists when internal auditors feel it is not their role to take immediate action upon witnessing unethical behaviour: gifts and gratuities going to a senior executive; the board not being informed that a significant project is overdue and over budget; or a questionable decision over executive compensation. When spectator auditors see a situation like this, they recognise it as a serious problem. Maybe they identify it as a potential audit area to be included in future plans. But nothing else is done. By not addressing such situations in a timely and appropriate manner, the internal auditors are equally culpable in the activity as guilty as the driver of a getaway car. Many auditors seem to be most comfortable in the next role on the continuum: referee. In sport, the referee is responsible for ensuring everyone plays by the rules. When an infraction occurs, the referee blows the whistle, awards free kicks and wields the yellow or red cards. But it has been said that nobody comes to the game just to watch an official work. The referees role is not to change the game; it is to come in and, by enforcing penalties, try to drive appropriate behaviour. Referee auditors take this literally, seeing their role in ethics as being to help drive ethical behaviour by conscience of their organisation. Bytaking a proactive, rather than reactive, approach internal audit can help to ensure that the organisation maintains the appropriate ethical compass. This means providing guidance, training and counsel at all levels. And it means being willing to say to executive managers: Youre about do something you shouldnt. I would suggest that you dont. Its about being more than a whistle-blowing referee. Its about ensuring that everyone understands the rules and the impact of those rules in a way that keeps any penalties from occurring. It is easy for us to assume we are the shining example that others should follow. But the recent scandal in a global public accounting firm shows that any one of us can make inappropriate decisions that tarnish our organisations and our profession. Recognising your departments current status on the continuum is the first step. Next is determining the actions necessary to become a proactive advocate for ethical behaviour. In this way, we all reaffirm our belief in ethics as a cornerstone of the internal audit profession and ensure that we do more than just sit on the sidelines judging others. In this way, we can ensure we are organisational leaders in the ethics arena.

The ultimate way for IAs to show leadership in ethics is by being advocates for ethical behaviour
reporting problems that have occurred. Theytake no responsibility for helping to prevent those problems. As shown by the final position on the continuum, this is only part of internal audits role. The ultimate way for internal auditors to show leadership in ethics is by being advocates for ethical behaviour the

For further information

Richard Chambers writes a blog at www.theiia.org/blogs/chambers and tweets as @rfchambers

Comprehensive Audit & Risk Management Software

Pentana Vision

Global audit management software

Modern screen design that operates globally over a range of network speeds without the restrictions of a browser interface Flexible audit planning by entity structure & process Home screen identification of items for your action and review In-built audit methodology and audit report templates Simple deployment and automatic software updates Audit work can be focussed on risks identified from integrated risk registers

www.pentana.com/vision Enquiries: info@pentana.com Call: +44 (0)1707 373335

View from the top

Challenging conversations habit-forming

Any challenging conversation needs to be handled with care because people need to be handled with care. Forget this at your peril.
Adrian Thompson, chief internal auditor, Norfolk County Council.

I can recall many challenging conversations in my time as a chief internal auditor they tend to stick in the memory. Ive been at the giving and the receiving end, and one thing Ive learned is that there is definitely a hard way and an easier way to cope with them. The conversation is rarely as bad as you imagine it will be.You need to plan it well, keep calm, listen, explain and get buy in to the outcome. However, while you can get better at managing them, challenging conversations continue to arise. In fact, the tight economic conditions, reorganisation, rising performance targets and tighter cost control are reasons why they are occurring more frequently.This environment can raise stress levels and affect peoples wellbeing, which in turn can generate complaints and grievances, offering scope for yet more challenging conversations. I have found myself challenging what people have done and what they havent done, as well as why, when, how and where they did something. Sometimes this couldnt be helped, as in the case of attendance management conversations, andsometimes it could for example, whenthere has been misconduct. On other occasions I have had challenging conversations in committee meetings. Audit committees are right to question and challenge and to be sceptical. Ireally enjoy that part of my job. Im supported in my role as a manager at Norfolk County Council by a great head of finance and a well-organised human resources shared service, with guidance and a helpline. I have also had impact leadership

training that covered coaching, mentoring and giving feedback. Such soft skills add to my existing training in auditing and specialist investigative practices.The discipline, pressure and significance of interviewing witnesses takechallenging conversations to a whole new level. Any challenging conversation needs to be handled with care because people need to be handled with care. Forget this at your peril. I have found that any meeting can benefit from developing and applying some simple habits. Some meetings will not go well. Thatslife. But its some consolation to know that you did your best.

Its vital to seek to understand the other persons viewpoint first, ifIwant them to understand me
I try never to have a challenging conversation unprepared. Whether you are giving or receiving difficult news, you dont want surprises. Is the person ready for feedback or questions now? If not, when will be the best time and place? Its my responsibility to be proactive, check my facts, examine the issues, consider where this is going next, what the options and

implications are, and what I want to happen. Stephen Covey, author of The Seven Habits of Highly Successful People, describes this as begin with the end in mind . It may not always be possible to gain a win-win solution, but you must be fair, proportionate and diligent if you are to avoid pitfalls. Its vital to seek to understand the other persons viewpoint first, if I want them to understand me.Thats a difficult habit, as I tend to want to step in with the benefit of my experience or simply to finish quickly. Youcant rush a difficult conversation. Its also important to work with the other person to find a solution and resolve matters. Any plan needs to have full agreement from both. The last habit is to reflect and learn. I like the way Covey calls this sharpening the saw . The habit of evaluation is also a key part of the Peace model used in investigative interviews of witnesses. I always find something that I could do better next time. Ichallenge everyone to practice some good habits and handle people with care.

About the author

Adrian Thompson has worked in senior audit positions in Norfolk CountyCouncil for more than ten years. Heis a member of Cipfa, holds the CiIP andis an IIA affiliate member. The IIA runs a course on Presentation skills for the less confident. Visit bit.ly/11dRxIa for further information.

Additional news, features and views are posted online all the time. Go to www.auditandrisk.org.uk to see whats new.

UPDATE
CMI report blames weather risk
The British weather in particular, heavy snow caught UK firms by surprise in 2012, according to the annual business continuity survey bythe Chartered Management Institute (CMI). Badweather was revealed as the main cause of disruption toUK businesses over the past 12 months in the CMIs Weathering the storm report, with 77 per cent of survey respondents affected by snow.

We round up the latest business and regulatory news to affect the internal audit profession.

Internal audit report finds FSA neglected Libor risks

severe dislocation in the Libor market in the period from summer 2007 to early 2009, and that 26 of the 97,000 documents reviewed in detail provided a direct reference to lowballing offering a product at a lower price than the one you mean to charge. The report concluded that the FSAs focus on the financial crisis, plus the fact that contributing to and administering Libor were not regulated activities , meant the regulator had too narrow a focus on Libor. Internal audit said that the information should have been better managed and that the likelihood that lowballing was occurring should have been considered . Barclays Bank, UBS and Royal Bank of Scotland have been fined for manipulating their Libor submissions. Other banks still face litigation. To read the reports findings, recommendations andmanagement response, go to bit.ly/YL51YK andbit.ly/10H0vQe

To read the report, go to bit.ly/YDeEdj

World Risk Day 2013

The second annual World Risk Day will takeplace on 14May. The event, entitled Shatter the project myth , will feature a free global virtual summit, social media debates and an online resource centre providing thelatest thinking onrisk and projectmanagement.

The UKs Financial Services Authority (FSA) should have been aware that there was a risk that firms would make inappropriate Libor submissions to avoid negative media comment, or forlowballing purposes. The FSAs internal audit report on its oversight of the London inter-bank offered rate (Libor) found that the regulator at all levels of management was aware of

FCA promises long-term focus

The new Financial Conduct Authority (FCA) has released a business plan and risk outlook stating that it will focus on longer-term risks.These will include firms not investing in innovative new products to meet the changing needs of society; the withdrawal of sales forces; and too few new entrants to the industry to allow competition to flourish. The risk outlook sets out the challenging economic backdrop as well as outlining how the FCA will assess market conditions and identify future risks. Many of these are complex and will require several years focus, it says. The business plan sets out how these risks will be managed in the first year and how the FCA will use its

Visit www. worldriskday.com for more details.

resources effectively to meet its objectives of securing an appropriate degree of protection for consumers, safeguarding and enhancing the integrity of the UK financial system and promoting effective competition in the interests of consumers. For more information, go to www.fca.org.uk

union body fights fat-cat pay

The UKs largest unions have banded together to use their shareholder influence to slap down fat-cat pay deals and poor governance practices at AGMs. The TUC, Unison and Unite unions have formed the Trade Union Share Owners group, which controls 1bn of staff pension funds. They will agreecommon voting positions on directors pay and bonuses, membership of boards and advertising of new director posts.

Chancellor tightens Whitehall spending

George Osborne has increased the public spending cuts he is seeking from the June spending review by 1.5bn. In Marchs budget statement, Osborne said he wanted total savings of 11.5bn, rather than the 10bn he announced last year. Further public pay restraint is expected to contribute to this. Whitehall departments will have one per cent docked from their budgets in each of the next two years in an effort to keep spending under control and help bring borrowing down. More details about how the cuts will be made will be set out in the spending review on 26June. Whitehall departments have already underspent by a total of 11bn this year, thanks to tough financial control . This was 3.4bn more than the independent Office for Budget Responsibility had forecast.

1bn public-sector fraud uncovered

The National Fraud Initiative has detected 1bn in incorrect and dishonestly obtained payments in the UK since its establishment in 1996, according to the Audit Commission. Almost 10,000 cases of fraudulent singleperson council tax discounts have been detected or prevented, saving 160m, while 250m of housing benefit overpayments have been identified. Almost 70,000 blue badges and 97,000 concessionary travel passes have been cancelled. The National Fraud Initiative compares data held by 1,300 public-sector and 77 private-sector organisations. It flags up inconsistencies that could indicate fraudulent activities, particularly those that might be missed at local level. Participation by all local government and health bodies is mandatory. For details, go to: bit.ly/11GDNdC

For details, visit bit.ly/15OoUm9

Nasdaq internal audit proposals

The US Securities andExchange Commission has published for comment Nasdaqs proposed rule that all listed companies have an internal audit function by the end of the year. It says that firms may outsource the function and that the audit committee must meet the IAs (or other responsible staff); help the board in overseeing the function; and discuss the responsibilities, budget and staffing of the function with external auditors.

Spreadsheet dangers
A survey of senior executives and senior managers in UK financial services firms has found a dangerous lack of awareness concerning business-critical data managed in spreadsheets and similar databases. The research, by data management company ClusterSeven, found that 93per cent of respondents used spreadsheets to manage financial data, but 51 per cent had poorly monitored policies or no usage controls. For further information, visit bit.ly/hKyFK2

For details, visit http://1.usa.gov/ YwbJ5i

REPORTAGE
of UK CEOs are planning to employ morepeople in 2013,

UK chief executives are more worried than those in other Western nations about the availability of key skills, according to PwCs latest annual global CEOsurvey, Dealing with disruption: adapting to survive and thrive .

45%
but

of UK CEOs are contemplating a cross-border merger or acquisition,

30%

while

are planning a domestic M&A deal.

43%

10

are planning to cutjobs.

33%

75%

of UK CEOs are anticipating structural changes to their organisations.

80%

of UK CEOs, compared with 57per cent of CEOs globally, thinkthat creating and fostering askilled workforce should be apriority for government.

91% 84%

of UK CEOs are planning to change their strategies for attracting andretaining customers.

87%

of UK CEOs want to use social media to strengthen their firms engagement with customers.

of UK CEOs claim to have active succession plans in place,

base as a top-three priority for the year, while 54% citedimproving operational effectiveness and 52% cited enhancing customer service.
When asked about the most important non-domestic market for their growth prospects in 2013, 24 per cent of UK CEOs cited the US, 19 per cent citedChina, 11 per cent cited France and 11 per cent cited Germany. 38 per cent cited organic growth in the domestic market as their main hope of expansion.

62% of UK CEOs cited growing their customer

11

compared with

24%
US

19%
China

38%

Organic domestic growth

83%

57%
of CEOs globally.

11%
France

11%

Germany

of UK CEOs are planning cost-reduction initiatives this year. Only17 per cent have R&D as a top-three priority for the next 12months, compared with 41 per cent across western Europe.

For PwCs 16th annual global CEO survey 1,330 interviews were conducted in 68 countries in the fourth quarter of 2012. The full research report can be downloaded from www.pwc.com/ceosurvey.

85%

Being integrated with the business is very important. Thats one reason why 85 per cent of the 220-strong IA team at any one time is rotated out of business roles.

12

He can be sure of Shell

Armand Lumens is chief internal auditor engaged in risk management at Royal Dutch Shell the company where hes spent pretty much his entire working life. But its the diversity of his career that gives his current role real clout.
Words: Richard Young Photographs: Liam Sharp 13

You get a flavour of the oil giants approach to risk management the moment you walk into reception at the Shell Centre. The security guard firmly and respectfully asks for my bona fides at the door. When the receptionist hands me my pass, it comes complete with a list of health and safety tips on the back. Even the welcome video playing onthe big screen in the foyer urges me to have a productive and safe visit. That combination is important to Armand Lumens, the companys chief internal auditor. People in the business are not going to do anything that they believe has no value, he says. Managers should always be asking how they get the biggest bang for their buck and the auditors have to think the same way.Theyre not going to waste time dreaming up recommendations that get locked away in a cupboard. Being integrated with the business while maintaining a strict independence is very important to Lumens. Thats one reason why 85 per cent of the 220-strong IA team at any one time is rotated out of business roles. When you learn that 90 per cent of the 350 audits they conduct each

We can go anywhere we like, we can ask anythingwe want, we can request any document andwe can get into any system

year are on operational, not financial, aspects of the business, that requirement becomes compelling. Credibility counts The key is: how do you engage with the business? Lumens says. The first thing is to recruit people from within the business. Immediately that gives you credibility. I cant send a 23-year-old graduate to Sakhalin for a talk about well design with a drilling engineerwho has spent 30 years in Shell. Itdoesnt work. So we bring in expertswhom we train to become internal auditorswithin six months. On any given audit, then, IA assembles ateam of five or six people with a range of skills designed to match the assignment. Thatmakes for richer, more informed conversations. The people joining us workwith five or six new people every five weeks, picking up a lot of skills such as conflict handling, analytics, report writing, presenting, interviewing techniques and working virtually, Lumens says. So a reservoir engineer who joins us wont work only in, say, Africa. Within two or three years he or she will have seen all the assets that deliver major reserves. When theygo back they will have a real depth of knowledge on what works and what can go wrong, because theyve seen operations all over the world. But the drive to win credibility doesnt end there. Whenever we report, my staff are present in the leadership meetings to discuss the outcomes of the audit and any actions required, Lumens says. So you have an expert who is from audit, but theyre with the leadership team to talk about what theyre going to do next. Because the team on the ground already has credibility with the people its auditing, those actions are generally realistic, nuanced and value adding. The mandate Dont be fooled into thinking this is an overly cozy relationship, however.The second

14

critical factor for Lumens is a strong mandate. The executive committee and the audit committee are clear on this, he says. We can go anywhere we like, we can ask anything we want, we can request any document and we can get into any system in the company. Our independence and liberty are very clear. Lumens is quick to add that, if he made a habit of walking into the offices of senior executives with demands , his credibility would take a hit. Its a powerful mandate, but not one to be abused, he says. Whats important is to gain respect. We need to build and maintain our reputation. Every single audit needs to be executed perfectly and people need to say at the end: Wow, this was a good piece of work. It might have been painful. But we learned something and we will change things if we need to. To understand that powerful mandate, its worth taking a detour into Lumens past. Heshad an incredibly varied

career at Shell (see panel, below), but in late 2003 he came to London as the assistant to the group controller. Within weeks of his arrival, Shell was in crisis. It transpired that it had overstated its proven oil and gas reserves by about 20 per cent. Its true that the IA mandate grew in 2004during that reserves crisis, he says. There were a lot of issues concerning the interpretation of rules, integrity, transparency and in 2004 that was all still relatively new [in terms of priorities across the industry]. Lumens spent nearly 18 months investigating the problems and issuing restatements: I probably have the world record for issuing the most 20-F forms in a two-year period! But, as well as boosting internal audits mandate, the experience also reflected Shells style of addressing problems: work hard to make it right, learn the lessons and critically embed these in the culture of the organisation for the future. Risk? What risk? Its worth remembering that Shells business is inherently risky. Pumping combustible materials from deep in the Earths crust, then refining and transporting them to be used by the general public is no cakewalk. But that can actually be an advantage for an internal audit function. Health, safety and environment are only asmall portion of the risks for this company, Lumens says. But, because we take them so seriously, it definitely creates a very strong compliance culture an awareness about riskthat we try to extend to other parts. Hence those tips on the security pass. Its all part of Shells Goal zero approach to safety throughout the company. So it seems a little surprising to learn that, unlike a bank, for example, Shell has no discrete risk management function. The risks are owned by the businesses. I dont own them, Lumens says. If they decide they want to take a risk even if they disagree with me they can.Thats a management decision. I cant be too far away from it, of

CV: Lumens in the spotlight

Lumens is finance parented hes sent out to any role that looks useful, but ultimately returns to the finance function. You can jump a lot in the first few years, but then they say: What do you want to do when you grow up? he says. 2010Chief internal auditor. 2009-10 VP , finance, for projects and technology. 2007-09 VP , finance, Shell GlobalSolutions. 2005-07 Head of external reporting. 2003-04 Group financial analyst. 2000-03 Supply-chain manager for Africa, the Americas, Iberia and France. 1998-2000 General manager, Shell Gas Bulgaria. 1996-98 Mergers and acquisitions for ShellButagaz (easternEurope). 1993-96 Finance adviser, Shell Trading. Lumens is a member of the IIAs Heads of Internal Audit Service and its Internal Audit Leaders Forum.

The zipper approach

In a large, multi-faceted and multi-layered organisation such as Shell, internal audit has to be tailored to each level. Lumens calls this a zipper approach, and its designed to ensure that decision-makers in the business focus on the right risks. Our auditors might need to give 15 detailed messages at operational level, he says. Theaudit managers above them might look for five key things issues that they can also watch for in other audits. They can pass those on to the business VPs, who will see if theres a cross-over issue in their business. Above them, heads of audit go to the leadership teams where we have business assurance committees, Lumens continues. Those heads can say: Weve seen this upstream; perhaps we should check that area downstream, too. Lastly, I talk to the executive committee and say: Here are seven things weve picked up over the past year that we might want to keep in mind for the future. With 350 audits a year, generating thousands of pages of recommendations, its the only way to ensure that the right decision-makers get the right information. The messages are all the same, distilled for different audiences at different decision-making levels, Lumens says. You want to ensure that the messages add up and are consistent, but are all on the right wavelength to make an impact at every level. Risk management should, therefore, zip up seamlessly from the front line to the boardroom. Any changes in approach or new ideas come from a consistent understanding of how the business operates best.

15

course, and we do have disagreements from time to time on which risks we should run. Then we take it up to the business assurance committee or executive committee and have an open debate about it. I support managers through our audits and workshops and training on risk management, he adds. Thats one of my key drivers that were managing risk better and in the right places. He gives a financial example. My predecessors had 40 Sox [Sarbanes-Oxley Act 2002] auditors in the past, he says. Ihave none today. We needed a lot of people at first to gear up the organisation to be compliant. We needed a lot of support to teach people what controls we were expecting. It was a complete culture change.

But its been completely integrated into the business now. Thats why 85 per cent of our people will rotate back to their functions or businesses, he continues. It strengthens our controls. These auditors have learned so much about what the business is like from doing audits. We believe that has huge added value. Effectiveness matters Thats the mantra: the value of internal auditto the business is absolutely critical. Theres a lot of discussion about where thechief internal auditor should report to, Lumens says. Should it be the CFO? Should it be the CEO? But that debate disappoints me, because it simply confirms certain mythsthat people have about the audit

profession myths that are extremely difficult to bust. The reality? There are audit functions that have clout, impact and the capacity to be sparring partners and that are also moving towards a vision of a high-powered function that really supports the business. Its not only about throwing reports over the fence, he says. So we say: if we can do something differently, we can actually make more money or reduce risks or do things faster. So, your reporting line helps you to remain independent, but only by proving your value on every audit do you make a real difference. For details about the IIAs Auditing Business Function resource, visit bit.ly/15yZfCu

The use of relatively cheap suppliers overseas has enabled UK businesses tocompete more effectively on cost. But, as therecent horse meat scandal showed, operating long international supply chainsis not without its dangers.
Words: Alice Hoey Illustrations: Matthew Hollister 16

Command of chain

burger walks into a bar. A pint, please, he says. What was that? I cant hear you, replies the barman. Im sorry, says the burger. Ima little bit horse. And so the jokes went on (andon) after the revelation in January that certain meat products were not all that they seemed. It was no joke for the major supermarkets. Giving evidence to the Commons select committee for environment, food andrural affairs, Tim Smith,Tescos technical director, said that the loss in sales as a result would be a lot bigger than 1m . The eventual cost resulting from the damage to firms reputations could prove much higher than that.Tesco saw 300m wiped off its market value and quickly announced a newDNA testing programme in an effort to stem theflow of customers from its meat aisles and restore confidence in the provenance of its goods. Other affected supermarkets suffered similar consequences.

In theory, supermarkets understand theactivity in one line from farm to store

Although the food industry is in the spotlight, thescandal has raised serious questions about the traceability and transparency of supply chains more widely, highlighting the challenges faced by organisations in guaranteeing that their business partners are up to the required standard. Advances in logistics technology and infrastructure have enabled British companies to take advantage of lower-cost suppliers around the world, which has given rise to longand complex cross-border supply chains. But their proliferation presents a number ofproblems, including those of ensuring compliance with regulations in each country concerning health and safety, ethical practice and social responsibility, andof ensuring that information about suppliers isshared. These are problems that many companies have yet to solve. Research byTV SD, a German-based product testing and certification organisation, has

The Food Standards Agency needs to ensurethere is more sharing of information among regulators at a European level

17

Apple terminated its relationship with a component maker, Guangdong Real Faith Pingzhou Electronics, after finding that under-age workers had been employed

18

found that 60 per cent of British manufacturers, distributors and retailers are still unable to trace all components in their supply chains. Perhaps more worryingly, even though the UK has some of the worlds strictest regulations on food labelling and hygiene, nearly half of firms in the survey admitted that they couldnt guarantee that all of their suppliers satisfied British product safety requirements. Another study by the fraud investigation and dispute services team at Ernst &Young has found that nearly half of British firms are failing to vet their foreign suppliers for compliance with the UK Bribery Act 2010. Only six per cent of respondents said that, if they were to find that a supplier was non-compliant, they would put the contract back out to tender.

Making connections
According to Paul Carr, director of FMCG at Achilles, one of the worlds largest supply-chain information management companies, the crux of the horse meat scandal was a lack of joined- up information on how suppliers were interacting. In theory, supermarkets understand the activity in one line from farm to shop, but it took four weeks to work out, sideways, which other supermarkets and outlets the rogue provider was supplying. Toprevent this situation, supermarkets must work collaboratively and use supply-chain mapping to understand the network of

supply chains servicing their industry, he says. Mandy Murphy, a spokeswoman for the British Retail Consortium, says that its members have established robust systems for food safety, based on auditing and strong supplier relationships, but sheadmits that these arenot designed toidentify possiblecriminal behaviour or people trying to flout the rules. That is much harder and it may be that those systems need to be reviewed to cope with this. Murphy concedes that more could be done to improve intelligence-gathering across Europe. We are members of the Food Standards Agencys consultative group on emerging risks, which is a useful forum for exchanging information on

Both buyers and sellers have responsibilities with regard to the quality and condition of goods

future risks in the supply chain, she says. But the agency needs to ensure there is more sharing of information among regulators at a European level. There has always been a need for knowledge, understanding and good long-term partnerships, according to Kevin Rumfitt, CEO of the Institute of SupplyChain Management, but language barriers, cultural differences and concerns about the cost of travel have been limiting factors.The economic conditions havent helped, he explains, because firms seeking cost savings are cutting back on the travel that is necessary for UK businesses to meet their suppliers face to face and strengthen relationships. For some firms it means that theres

A cyber compliance headache

Ross Parsell, director of cyber security at Thales UK, says that ensuring effective supply-chain management is an important and difficult challenge for the security industry. Cyber criminals have started attacking supply chains instead of targeting organisations directly, making the electronic defences of the supply chain as important as those of the organisation itself, he says. Companies need to assess the cyber security processes of all of their suppliers that handle sensitive information, Parsell says. Some of his following recommended actions could easily be applied to a range of industries and product or service types: Classify the security risk of the data and access points you are providing to suppliers. Review regional and industry compliance standards to ensure that all regulatory requirements are met for the countries and sectors in which your business operates. Set best-practice guidelines to assess all existing suppliers and potential ones before doing business with them.

more trust and less knowledge of where produce has come from, Rumfitt says. Saleem Chowdhery, head of risk and internal audit at Morrisons and a member of the IIAs Heads of Internal Audit service, agrees that there has generally been too much focus on improving margins at the expense of ensuring traceability. Both buyers and sellers have responsibilities with regard to the quality and condition of goods, he says. Most well-managed businesses will have assessed the risks in their supply chains and will be seeking to design these risks out. Morrisons has a relatively conservative approach to ensuring quality in its meat supply chain: it processes 95 per cent of its own-brand fresh beef, pork and lamb in its own abattoirs. We also operate a stringent quality-control system with our third-party suppliers, all of whom have signed up to the Morrisons manufacturing standard and are independently audited against this, Chowdhery says. Our own sites are also audited against the standard, one element of which is provenance.This states that systems of traceability must be in place and sites must maintain relevant certifications.

Track and trace

Industries also need to collaborate in order to identify where they depend on the same suppliers, so that they can identify potential problems, according to Russell Johns, EMEA

marketing lead, strategic supply management, at IBM. They should be taking a 360- degree view of the performance of every supplier and monitoring their risk profile by constantly evaluating their structures, he says. Companies can use the latest mapping technology to track andmanage risk all the way down their supply chains. Thisensures that the total impact of supplier disruption is understood and corrective plans are in place, Johns says. Suppliers can be managed to ensure compliance with corporate standards policies and regulatory requirements, while updates to legislation are automated into the process. Any business that values its reputation must ensure that all links in its supply chain make the grade, in terms of regulatory compliance and also social responsibility and sustainability. For instance, Apple recently

announced that it had terminated its relationship with a component maker, Guangdong Real Faith Pingzhou Electronics, after finding that under-age workers had been employed, he says. A range of simple technologies can also be used to trace the various components of a product.These are already common in the automotive and pharmaceutical industries, according to Rumfitt. At Nissan, for example, if a dealer takes issue with an exhaust on a new vehicle, each component can be traced, through its own assembly line, from the tier-one supplier that delivered it all the way back to the foundry it came from.They can even determine the mixture of metals that went into it.The systems are already out there and in use, he says. The question is: why do we have more control over how our cars are made than the food we put in our mouths?

95%
of Morrisons own-brand beef, pork and lamb is processed at the supermarket chains own abbatoirs.

Although no branded products at Morrisons were affected by horse meat contamination and no goods were withdrawn, the business is not complacent. It is good practice to review processes continually, Chowdhery says. Internal audit has an important role in ensuring that the systems of control to manage the key risks are operating effectively. In our business, internal audit frequently tests the food safety management systems, quality systems and processes concerned with new product development. We have conducted an assurance mapping exercise to understand the second lines of defence, including an assessment of the strength of this assurance against the key risks to Morrisons. And in the past we have challenged management to consider its confidence in the representations it makes about things such as the provenance of its meat products. Its understandable that some businesses will seek the cheapest route to market, however complex the resulting supply chain might be. But the potential reputational costs can be considerable. Businesses can be destroyed for good by mistakes, so they must find the correct balance and ensure that the quality of their brand is built on the quality of the products they supply, Rumfitt says. Anyone who cannot tell you what is really in their products is in big trouble.

19

John Otty, CFO for Africa, Asia Pacific and the Middle East, Vodafone.
Before I became head of internal audit I was CFO for Asia Pacific and the Middle East. I thought I understood what internal audit did, because I had been audited several times and because Id sat on audit committees. ButI was surprised when I discovered how much value internal audit adds to the organisation. Internal audit has a lot of strength in the company and it can really get things done. But too often its hidden. Itried to use my operational experience to maximise its impact. Forexample, I gave my team permission to engage directly with the business to help resolve a problem if they saw one. I dont mean getting involved in operational execution, butsimply helping managers to understand the problem and ensuring that they have started working on it. Inthese cases there was no audit involved, but the impact on the business was high, the resolution was fast and value was seen to be added. One of the most important opportunities that internal audit offered me was the experience of presenting information to the board on a regular basis. I learned how to present complex information more efficiently and how to get my message across in straightforward language the telecoms sector is full of jargon. I had a strong relationship with Nick Land, the chairman of the audit and risk committee. Hes very experienced and understands his role. This helped to create a trusting

20

relationship, which I think is vital. He told me that he has two friends: the external auditor and the internal auditor. I could tell him things in confidence that went beyond the main presentation to the committee and which gave him a better, richer flavour of the companys risks. One big change for me was building the leadership skills required to run internal audit. Id worked in global roles before, but this was the first time that I had directly managed 120 people across the globe. It was like running a worldwide consultancy. Thismeant that I was responsible for motivation, communications, development and training. I also enjoyed the fact that the function was independent from the organisation, soI could set the agenda and lead the team where I wanted to go.This was a great leadership challenge and a massive change from my previous and current jobs. I now manage 15 people, all of whom are based in our London office. I visited internal auditors in all the countries where Vodafone operates. Where I felt they could influence the company more effectively, I offered them support with senior management locally to ensure that they had the influence and the voice they needed to be heard.The internal audit community in Vodafone is fairly well integrated and, although the team works in many regions, we all operate in the same environment.

This was the first time that I had directly managed 120 people across the globe

Moving up
A long career in internal audit can be hugely rewarding. But, for many people, a stint in the function is a chance to build an in-depth understanding of all aspects of a complex business and to spend time outside the day-to-day management of any one department and gain a broader view of the organisation and its markets.Thisexperience is not only interesting; it can provide the operational knowledge and industry insights that are invaluable for a member of the senior management team. Here we ask twoformer HIAs in very different businesses toexplain how their time in internal audit helped them to secure a seat on the board and why the experience changedtheir understanding of the profession.

21

22

I would certainly recommend to others that they should work in internal audit. Vodafone encourages people from other departments to work in internal audit for short stints. Its fairly easy to get people up and running quickly, because weve got a well-structured, well-managed team with a good induction mechanism.The benefits work both ways someone from operations can offer specific knowledge to an audit as well as learning about new areas of the firm. Its also a great opportunity to get to knowpeople at the top of the company. Andits a chance to gain international exposure, because we operate audits across all our regions, whereas most Vodafone jobs are based in one region or country. Id worked at the company for 20 years, but my time in internal audit sent me into parts of it Id never seen before. For instance, I gained an understanding of our network resilience and technology security.This informed my role running the risk management function, leading to discussion of some issues at board level. I saw the chance to go into internal audit as an interesting challenge, but I wasnt sure I was going to enjoy it. Infact, I really enjoyed it because it was rewarding to see that I could make an impact and lead a global team. Now that I am again heading audit committees, my experience in internal audit is really helpful. I used to have a regional team to brief me on audit committee issues, but now I talk directly to the internal auditors. I appreciate how important it is that they feel they dont have to protect management. Im also more aware of the importance of resilience and I can influence decisions better because Iunderstand the issues. John Otty is a member of the IIAs Heads of Internal Audit service and its Internal Audit Leaders Forum.

David Fletcher, president director, Permata Bank, Indonesia.

I was head of internal audit at Standard Chartered Bank in 2004-09 and before that I worked in business governance and risk roles at Standard Chartered and CitiBank. I had one perception of internal audit when I joined it and a very different one when Ileft. I appreciated what internal audit did far more from the inside than I did from outside. Its easy for managers to say internal audit is important and necessary, but theres always a degree of subjectivity when youre actually being audited. Working in internal audit made meappreciate how difficult a role it is and how important communication is for an audit function. No one enjoys being audited, so its essential that auditors communicate well. Theyalso have to be independent and retain full editorial rights over their report, while reassuring people that their views will be heard and the process is fair and consistent. Internal auditors can do extremely valuable work, butit will bewasted if they cannot communicate this in the company. Its not about catchingpeople out; its about understanding risks and addressing weaknesses.This communication has to go both up and down the organisation. Inmy current job Im aware thatIdont want a company witha good news culture ifsomething needs addressing, itneeds addressing. Its important that internal audit isnt restricted to stating facts alone. A good internal audit function will feel confident in giving an opinion, because you cant always wait until you have proof of a weakness before you address it it could be too late. We are all working for the same shareholders, merely in different roles. Most managers dont tend to think too much about this kind of thing

Id worked at the company for 20 years, but my time in internal audit enabled me to go into parts of it Id never seen before

unless they have worked in internal audit.Thats why its so valuable to spend time in internal audit or a risk/ compliance function. Being an HIA enables you to form an overview of the whole company and join dots and see patterns that would otherwise behidden. It also encourages you to think more about the downsides than most managers tend to. Used with balance, this is a good thing. Im now probably harder on our internal audit function than Iwould have been if I hadnt worked in it, because I understand how much value it can add when it works well. If Im confident that the team is doing its job well, I know that I can back its findings if a disagreement or conflict should arise. Independence shouldnt be confused with lack of interaction

with business units. A topquality audit team shouldnt have to do a full audit to raise issues or have an informed opinion. But all parties need to appreciate the need for independence. If a business unit knows about a problem and doesnt tell internal audit, it can be just as bad as if it doesnt know and the problem emerges only as the result of an audit.You need to foster a culture in which people can contact internal audit about a concern and know that, rather than being held against them, the issue will be treated fairly and consistently. Skills such as communication, teamwork and quickly understanding topics apply to all management roles, so there shouldnt be a huge jump to move from internal audit to other areas. Business is all

Working in internal audit made me appreciate howdifficult a role it is

about taking risk, so all managers benefit from understanding the balance that has to be maintained and the importance of keeping the right perspective. But it is important that anyone moving out of internal audit is confident that they wont find previous disagreements held against them. A mature company will understand that some disagreements are necessary and should not be personal.The internal audit role can involve identifying failures and that can be appropriate in certain circumstances, but its usually better to present these asconstructive advice on makingimprovements. After working in internal audit, I now stress that I dont like staff in the business to be given the objective of having no failed audits . I realise that this isnt in their control and would prefer to have objectives such as issues identified in audit rectified in time agreed . Ive also learned that organisations spend too much time discussing audit grades when they should be focusing on what needs to be

changed and how and when this will happen. Im far more aware that audits throw up things that extend beyond one function or business unit. If an audit finds evidence of weaknesses further along the organisational chain, then its important to address these and not wait for another audit. It is easy to be in siloed in business. In audit, the real value often comes when the silo is broken. This broader picture is one of the great strengths of internal audit. For example, its highly unlikely that any one audit will pick up an isolated fraud, unless auditors are lucky with their sample. Its far more important that it highlights weaknesses that could create opportunities for fraud. If fraud happens, its easy for management to say: What was the IA team doing? Now that Ive worked in internal audit, I understand that this cant be expected, except in a few rare cases. I appreciate more the ways in which internal audit prevents fraud and other problems arising in the first place and where it really adds value throughout the company.

23

Looking for more? Go online

How have you seen your role evolve over the years? To have your say on this and other issues, visit www.auditandrisk.org.uk. Formore information about the IIA Internal Audit Leaders Forum, contact paul.roberts@iia.org.uk

G4S has 620,000 employees in 125 countries. Its regional teams are responsible for completing their own risk profiles.

620,000

Earlywarning system
Words: Neil Hodge
lthough businesses now focus moreon riskmanagement and internal control than they did before the financial crisis of2008, the spate of governance disasters, bankruptcies and regulatory censures in the crisiss aftermath have prompted many observers to wonder whether organisations have a blind spot when it comes to spotting the next big event that might hit them hard. While the telltale signs of trouble will vary from firm to firm, HIAs say that the principles of managing and communicating emerging risks are very similar for most businesses. In essence, risk information needs to be brought up from ground level to the board, while the management needs to ensure that action to control and mitigate these risks is taken throughout the organisation. Phil Summerton, head of internal audit at security management firm G4S, says that, in a large company employing 620,000 employees in 125 countries, regional teams are responsible for completing their own risk profiles.This means that, while the corporate centre has overall responsibility for the development of processes, local teams need to ensure that they are appropriately setup to manage their own risks.

How can organisations improve their awareness of nascent threats that arent yet on the radar? When potentially huge risks are involved, vigilance at all levels and good communications are crucial.
25

For our business, risks should be identified and picked up at a local level, Summerton says. These should then be appropriately communicated up the chain. It is this communication process thats a core partof managing any risk strategy. G4S categorises its quantifiable risks under four headings: financial impact; severe impact on achieving business objectives; reputational damage; and disruption to business . These form thebasis of its global analysis, Summerton says. An integrated risk management process is vital. Thefirst part of this is to ensure that a robust process isinplace.The second is to ensure that people have boughtinto it, he says. This is where appropriate training and engagement is necessary. By creating a culture of transparency, you will ensure that the processis duly followed. While HIAs agree that it is important to have established protocols for sharing risk information, manybelieve that the speed at which that informationisrelayed is also crucial. Bruce Vincent, senior vice-president and head of global internal audit atInterContinental Hotels Group (IHG), has developedaprocess called dynamic risk assessment

There is nothing like showing executives what has gone wrong at a competitor to explain the seriousness of a similar occurrence in your own organisation

tohelp highlight emerging threats as quickly aspossible. Its a continual, flexible and reactive approach that ensures we are aware of risksas they emerge, he explains. Thisrequires close engagement with the organisations stakeholders to determine issues that may be affecting their operations. It ensures that we can get constant access to risk information so that we can apply our resources to the best effect possible where risk matters most to IHG, he says. Vincent says that the information received through the assessment is fed intoassurance maps, which provide a better idea of how the risks should be controlled and of who needs to take responsibility for managing these.

Rapid response

26

Access to risk information is crucial and the speed at which you can get hold of it can be a determining factor in how well you deal with it, Vincent says. Our approach is to make everyone in the organisation aware that risk management and assurance is important and that they all have a duty to identify and report anything that they feel may have a negative impact on the business. Internal audit can then assess that information and suggest appropriate measures to the people responsible for managing the areas affected, he says. Vincent adds that collaboration at the topof the organisation is also vital. He is part of the companys risk working group, which is led by the head of global risk management and includes the general counsel, the head ofstrategy and the head of programmes (aswell as any other senior people who have a particular interest in the matters under discussion).This group meets at least quarterly to discuss big risks, which are disclosed in the annual report and communicated throughout the business to

We also look at social media. Its vital that we keep our ear to the ground

ensure that employees are aware of these and of the action they may need to take to identify, mitigate and report instances wheresuch risks have been found. Vincent says that there are numerous ways to ensure that the board makes emerging risks a priority. There is nothing like showing executives what has gone wrong at a competitor to explain the seriousness of a similar occurrence in your own organisation.They understand the scaleof the problem and quickly, he says. Another good idea is to make it personal , he says. If you know what the objectives are of each senior manager, you have a much greater opportunity to show how a particular risk if not properly managed could stop them from achieving their goals at an individual level.That will gettheir attention. Justin Murrell, director of risk management and internal auditat Land Securities, a FTSE-100 commercial property company that focuses on the retail and London office sectors, alsobelieves that close interaction with the board is important in addressing emerging risks to the business. As I report directly to the chief executive and the executive committee and meet senior managers regularly, I get a veryclear sense of their objectives, their views on risk and which risks they are going to prioritise, he says. Over the past few years, Murrell says, there have been several important trends that the organisation has had to prioritise asrisks to its business.The first is the growthof online shopping and the rise of click and collect retailing, while mobile applications and Wi-Fi technology have also changed thepurchasing experience and forced the organisation to incorporate these new channels into its shopping centres. Consequently, the organisation monitors emerging risks through a mixture of

internal and external sources. We have a relatively small number of employees just over 600 people nationally which makes it easier for us to get people to feed in risk management information that we can use to get a better sense of consumer trends and which risks are becoming priorities. But we also make good use of the information we get externally. For example, we can measure footfall in our centres to check spending patterns and look at the revenues of the businesses based there to see how they are doing. We also look at social media to see whats being said about our centres, which gives us a much better idea of what the organisation may need to do in order to meetcustomers expectations. Itisvital that wekeep our ear to the ground. Another key characteristic of a successful risk identification process, according to many HIAs, is a close and collaborative relationship between internal audit and the risk management function. Chris Brookes, director of internal audit at global consumer packaging manufacturer Rexam, says that his department works with the risk team as part of the groups enterpriserisk management (ERM) function. This is a tight-knit group function that brings together risk leaders, managers and functional experts from the different parts of Rexams canning operations in North America, South America, Europe, Africa, the Middle East and Asia which represent 90 per cent of the business; and from the healthcare plastic packaging operations that make up the remaining part. About two years ago Rexam further refined its risk management processes when it established a risk leadership team comprising risk leaders, managers and functional experts from within the business, the group ERM function and internal audit. Its

It is not tenable for internal audit only to review what others are doing; it needs to get more directly involved in the risk process

brief is to consider risks in more than 20 countries, look at the management controls in place to mitigate those risks and then prioritise ones for further review and monitoring.The overall programme is then reviewed by the companys audit and risk committee on behalf of the board. Brookes says that regulatory developments and new consumer trends are two key areas in whichthe firm looks out for emerging risks. Legal changes concerning packaging are an obvious area of concern to us. We need to keep ontop of any such regulations that are likely to come into force in our countries of operation, hesays. But changing consumertrends also present challenges that we need to be responsive to, including changes in lifestyle, taste, nutrition and health all of which could lead toshifts in demand away from our products

Long-range forecast
The Met Office also applies a collaborative approach to help

identify and quantify the impact that emerging risks might have on the organisation. Its HIA, Jonathan Kidd CMIIA, says that its risk review committee helps to ensure that there is a collaborative approach among senior managers, risk managers and internal auditors to identify newtrends and suggest appropriate actions. He serves on the committee with senior managers and the head of risk management. Together they discuss which factors are most likely to affect corporate strategy and report their findings to the audit committee. Kidd says that the organisation conducts horizon-scanning exercises to see what the key emerging risks will be over the next year, two years and three to five years.There are four key areas of focus: operational delivery; financial impact; legal, compliance and regulatory; and reputational risk. We use a heat chart and map these risks, their likelihood and potential impact against our corporate objectives, Kidd says. Once these are prioritised, internal audit works with risk management to monitor andreview them and provide assurance overthe controls designed to mitigate them. Our findings are then passed on to the audit committee and the board.

Given the needs of the organisation, Kiddbelieves its necessary for internal auditto be more hands on in the risk identification process. Resources are tight and demands are increasing, he says. It is not tenable for internal audit only to review what others are doing; it needs to get more directly involved in the risk process. He adds: There is heightened demand atboard level for internal audit to work moreclosely with risk management so thatthey can form an integrated view. Internal audit does not own risk, but we needto be able to deliver our views and any informationwe have to hand on emerging risks, so that risk management can act on ourfindings. FOR MORE INFORMATION The institute will be running a course on Auditing enterprise-wide risk management in York on 22-23 May. Visit bit.ly/IIAERMauditing for details. Philip Summerton, Chris Brookes, Justin Murrell and Bruce Vincent are members of both the IIA Internal AuditLeaders Forum and the Heads ofInternal Audit Service (HIAS). JonathanKidd is a member of the HIAS.

27

EQA FAQs
The institute has completed external quality assessments (EQAs) in the insurance, manufacturing, charity, housing and education sectors so far. Members are telling us that their experience of these has been positive and we believe that focusing on continuous improvement is the right approach. It may sound obvious, but EQAs tell us the issues that internal auditors face every day. This knowledge influences our policy discussions, guidance and training. Its been interesting to see the reality of internal audit in the context of each organisation and how each function adapts to its environment, says Sarah Blackburn CFIIA, a former president of the institute and current member of the EQA review team. Itreinforces the wisdom of our Standards as principles, which can be interpreted in so many ways in different organisations yet fulfil the same essential purpose. The very fact that the Standards are flexible means that our reviews are examining the issues that matter and delving into the ways that internal audit makes a difference.

The institutes technical manager, Chris Baker CMIIA, explains the value of an external quality assessment, what happens during the review process and how best to prepare for one.
good governance and the role that internal audit can and should play. The emphasis of an EQA depends on what the client wants. Some heads of internal audit who are new in their jobs or in the process of a reorganisation may want it to focus on new ways of working. For others, conformance is the crucial concern.The point is that we are flexible and can tailor a review to specific circumstances without compromising our own objectives. Its therefore important during the planning stage for us to listen to clients expectations and talk through the practicalities after all, this is not meant to be an audit of auditors. As our portfolio of reviews grows, we are building our knowledge of what works in a range of organisations, having seen some interesting approaches to resourcing, measuring performance, reporting and taking action. Perhaps the most rewarding part of doing an EQA is acknowledging the good things we see and discussing new ideas and plans. It seems that everyone has something to offer in terms of insight and innovation, so its an objective of ours to build a comprehensive benchmarking database that we can share with members to enhance the professions overall performance.

28

What do clients get from the process?

Readiness reckoner
Kay Peacock, head ofcorporate audit services at the Atomic Weapons Establishment, describes some of thepreparations that her team made before its EQA in January, which contributed to a successful outcome: Doing a selfassessment based on all 56 IIA Standards can seem daunting atfirst. My advice would be to choose a few Standards with which you can readily identify conformance and record what you do. This soon gets you into a rhythm. We assessed each Standard on a separate page using a template and filed them all in numerical order. This helped to identify the evidence we needed. We also created an evidence file to link documents to Standards. In some cases one document applied to several Standards. This meant that the reviewers could easily access our files and understand ourapproach. Lastly, we incorporated action plans into the self-assessment so that we could discuss proposed changes with the review team. The reviewers were then able to acknowledge our achievements and confirm that we were on the right track.

What are the aims of an EQA?

Each EQA has two specific goals: to provide an opinion on the level of conformance with the IIAs Code of Ethics and International Standards; and to offer specific recommendations to support the continuous improvement of the internal audit function. Often this means that our reports include recommendations to the audit committee and senior management to enable internal audit to work more effectively.This helps the function and its stakeholders to discuss key topics such as risk management, assurance mapping, coordination and resourcing. We can say with some certainty that our EQAs are stimulating debate about the nature of

The review team prepares two reports at theend of an EQA.The first is a summary of the key areas for development.This is of prime interest to the audit committee and senior management, enabling them to reflect on issues affecting governance, risk management and assurance. For this reason we generally present recommendations in order of importance, rather than in Standards order, although we will state our opinion about the overall level of conformance. The second report contains the detail of the review that informs our opinion and provides the basis of our recommendations. We use our self-assessment checklist, updated for the 2013 Standards, to consider how the internal audit activity interprets and implements each Standard. Where the review is a validation of a self-assessment, the process is much quicker and cheaper because the in-house team has done the groundwork.

How does an EQA work?

One thing we always bear in mind when conducting a review is that the Standards are principles.This means there is scope for

Some HIAs who are new in their jobs orin the process of a reorganisation may want the EQA to focus on new ways of working

By their nature, full EQAs take longer probably about eight days and we may conduct these over a fortnight, looking at attribute Standards in the first week and performance Standards in the second. Thisshould give the internal audit team a bit of breathing space during the review.

How should I prepare for an EQA?

A good place to start would be to discuss your requirements with senior managers andthe chairman of your audit committee. Talk about the likely benefits, cost, timing, key focus of attention and outputs. Presuming that they are happy for you to proceed, talk things over with your team and, if possible, assign someone to liaise with the reviewers and collate the information they will need. If you are going down a validation route, factor in the time it will take to complete the self-assessment, including the processes of reviewing and report-writing. We have great expectations for our EQA service, as it gives us the chance to support members by raising their profile, explaining their value, recognising their achievements and taking part in their development. As one our reviewers, Martin Robinson CFIIA, said to me recently: The EQA process can really drive forward the performance of any internal audit function and act as an impetus for continued development. We hope that members will commit to EQAs not simply because these are required by the Standards but because there is real value in the process. We know that some arent sure how to start the process or simply dont have the time. If that applies to you, we would be happy to provide some training, help with your preparations or steer you through the process as a facilitated EQA. FOR MORE INFORMATION Email chris.baker@iia.org.uk if you would like to have an informal chat with him about EQAs. The IIAs free selfassessment checklist can be downloaded from bit.ly/IIAselfAssessCheck

29

interpretation to allow the internal audit activity to adapt to an organisations unique circumstances. Our self-assessment caters for this by listing options to implement the Standards, but these lists are by no means comprehensive and other solutions may have been devised. As long as we can see evidence that the approach works, well be able to conclude that there is conformance. To gain further assurance, we conduct face-to-face interviews with senior managers and audit committee members. Because these can take a bit of organisation, they tend to be done around the examination of internal audit documentation. We find that scope of work and internal audit planning is the best place to start, as this gives the reviewers an immediate view of the functions methods and resources, which will inform the interviews.

At present the quality services panel comprises a team of ten reviewers, who have many years experience at the top of the profession, so we are confident that we can cover most sectors. We have up-to-date knowledge of what it takes to run an effective internal audit operation and we can share good practice based on a broad base of expertise (a full list of reviewers on the quality services panel, along with other details about EQAs, can be found in the Our services section of www.iia.org.uk).You can expect a degree of challenge, therefore, but it will come through discussion and an appreciation of the day-to-day practicalities of running an internal audit department.

How long should an EQA take?

While each review is unique, a validated self-assessment will normally take four to six days, depending on the level of complexity and the extent of interviews. With a team of two reviewers, this usually means that the EQA will take the best part of a week on site, with preparation and reporting either side.

Who conducts the EQAs?

I am involved in all reviews to ensure consistency and quality. In some, I lead the review and am supported by an experienced reviewer; in others, I have a supporting role.

Tools for the job

A world of knowledge
The IIA is always working to produce guidance aimed at helping internal auditors to stayat the cutting edge of bestpractice. Pauline Scott, technical coordinator, reports onthe technical teams recent work to support members.

30

f youve ever wondered what kind of information and assistance theinstitute can offer its members, or youve considered getting in touch with us to help with a query or concern about your work, then it might help you to get an idea of the guidance provided by the IIA technical team. Requests for information come in to us every day and our new website has made iteven easier for members to submit queries (www.iia.org.uk). There is a specific Ask the resources team page, while every page in the Resources section has a column on the right-hand side where you can enter a question and provide contact details, no matter which resource you are looking at. This is already having an effect: we are receiving more queries than the 30 we averaged each month before the new site went live. The subjects of these questions vary widely, but some of the most popular topicsare: sampling, assurance mapping, performance measurement, risk-based internal audit and audit charters. Some of these are answered in the You asked us section of this magazine on page 32. A few may also be used as the basis of extended Q&A-style guidance documents. Our mostrecent publication of this kind is aboutthe audit universe and can be found atbit.ly/IIAauditUniverse.

You will also see on the new website that instead of publishing guidance as a PDF file we are now providing it on the site itself. Weaim to have all the 2012-13 guidance online soon. This will make it simpler for us to update and more straightforward for members to browse the full range of guidance. It should also make it easier to locate and print guidance on particular topics using our search engine and Google. With the help of volunteers through ourguidance working group, we produced five articles last year offering tips on communication results, audit engagements, writing about risks, internal audit strategic plans and performance management. Thesecan all be found under the Resources tab on the website. We have also prepared longer pieces of guidance on: Solvency II the role of internal audit. Supervising audit engagements. Providing ethical assurance to boards. Influencing skills. Working with stakeholders. Mentoring for internal auditors. Using coaching to develop internal auditors.

In addition weve produced podcasts onquality, international standards, reputational risk and communication. Thisyear, while we are continuing to develop more material of this kind, we are also in the process of implementing a newguidance strategy. This involves looking at how we define and prioritise the information we provide as well as how we publish and communicate it. As part of this process we are refreshing and reissuing some of the older guidance. It is important that we know what members want and what you think of the guidance we produce, so please let us know (0845 883 4739; technical@iia.org.uk). Anddotell us if there is something that you would like to get involved in were always looking for volunteers. We want to know what you think and we need your help. Thisis the only way we can continue to improve what we are doing and produce the quality and quantity of guidance that we do.

Are you a professional internal auditor holding either the IIA Diploma (PIIA) or IIA Advanced Diploma (CMIIA)? Are you just starting out in your career in audit?
If so, contact BHBi to find out how the BHBi Triple Qualification could help you increase your professional standing and become more marketable. BHBis Triple Qualification comprises of: CMIIA/PIIA Award Chartered Management Institute (CMI) Level 7 Diploma in Strategic Management & Leadership Chartered Manager (CMgr) status
Chartered Manager is the highest status that can be achieved in the managerial profession. Awarded only by CMI, it is recognised throughout the public and private sectors, across all management disciplines.

If you hold the CMIIA Award or the PIIA Award already, take the fast track route to enhanced CPD and further qualifications and achieve: The CMI Diploma in Strategic Management & Leadership Chartered Manager status If youre just starting out in your career in auditing you can study for your professional qualifications with BHBi and have the Triple Qualification built into your training! This will help you become more marketable, enhance your career prospects and gain access to professional networks whilst also demonstrating a high level of strategic competence and audit and managerial professionalism. For a confidential discussion on how BHBi can help you achieve more from your professional auditing qualification contact: Mark Barnes Tel 07906972147 Email markbarnes@bhbi.co.uk Paul Haley Tel 07973911317 Email paulhaley@bhbi.co.uk

www.bhbi.co.uk/triple-qualification

BHBi has been quality assured and assessed by the CMI to offer the fast track route to enhanced, continued professional development. Offering a wide range of practical professional resources, CMI membership will not only enhance your employability, but help take your professional practice to the next level and beyond.

PREMIER PRACTICE

You asked us

Q&A

Our technical helpline provides valuable advice to members on a host of professional issues. Hereare some of the questions youve submitted recently.
A. Cipfas guidelines are still applicable. While the public sector has adopted our Standards, the previous internal audit standards were similar, so the change has been evolutionary rather than revolutionary.There is a document in our resources library, What every director should know about internal audit: essential information for boards and audit committees , that might be useful. Q. I have been asked by my audit committee to help ensure that it complies with the IIAs requirements for reviewing the effectiveness of internal audit. I cant find any such requirement on the institutes website. Can you advise me whether there are any and, ifthere are, where I can find a copy? A. The basic requirements set out in the International Standards (1300) are that internal audit should have a range of internal and external measures of assessment for reviewing effectiveness. From an internal point of view, that means performance measures, supervision, self-assessment against the Standards and reporting of performance. Externally, youare required to have a fiveyearlyreview against the Standards by an independent reviewer. The guidance in the institutes resources library entitled Qualityassurance and improvement programmes gives more detail, which youcould share with your audit committee. Thereis also a self-assessment checklist atbit.ly/QualityServices, along with the services we provide in this area.

32

Q. We are planning to develop a standard audit programme to test the various self-assurance processes (second line ofdefence) established by the business. Im seeking guidance that would be applicable to such an audit. I havent been able to find anything directly relevant on the IIAs or IIA Globals websites. Is there any material available that could serve as a starting point for creating such a programme? A. There are three pieces of guidance in the IIA resources library Coordination of assurance services , Coordinating risk management and assurance and Relianceby internal audit on other assurance providers that may be useful. Theres also an external quality assessment checklist at bit.ly/IIAselfAssessCheck. Theperformance standards may provide some guidance and a format to work to. Other things to consider include the adequacy of the work, the depth of coverage, the level of competency, the approach taken and the key risks covered. Key questions to consider should include: is it done on a regular basis? Is there enough documentary evidence? Is there sufficient testing? Q. In the light of the new public-sector audit standards, Im reviewing our auditservices charter. I also want to review the audit committee terms ofreference. Is there any new guidance for audit committees in local government that reflect the new standards? If not, are Cipfasgood-practice guidelines still the most applicable?

Q. I want to overhaul the internal audit manual Ive inherited. It would be useful to receive a copy of any versions that have been provided to the institute for sharing. Can you help? A. Unfortunately, there is no specific standard or guidance on the content of internal audit manuals.This is mainly because they are working documents that are unique to each internal audit activity. Having said that, there are some common features, including the internal audit charter, organisational structure, policies and procedures, quality-control arrangements and reporting mechanisms. If you cross-check your existing manual or ideas for a new one against the new International Standards, youll be on the money.You could use the Forums pages of the Resources section of www.iia.org.uk to find people willing to share information.You could also visit bit.ly/IIAglobalOpsManual on the IIA Global website. Alternatively, simply typing internal audit manual into Google will produce quitea lot of useful material. Got a question? Contact Chris Baker on the IIA technical helpline on0845 883 4739 or email technical@iia.org.uk

Achieve a full professional IIA qualification through a postgraduate study programme with the Centre for Internal Audit, Governance and Risk Management at Birmingham City Business School.
Students attend our DUAL AWARD programme which offers exceptional value for money, through the provision of focused training which yields proven success and delivers a practical and career enhancing experience. We offer a unique programme of training which delivers membership of the Chartered Institute of Internal Auditors, subject to completion of the appropriate experience journal, in one of three modes: full time, block release or flexible learning*. The programme of study provides: - Single assessment for each module using both assignment and examination methods - Teaching that reflects the IIA syllabus at Diploma and Advanced Diploma levels, as well as adding value through real world industry and professional experience - Significant visiting practitioner involvement in the delivery of each module - A cost effective pathway to internal audit career development. Annual course fees for September 2013 and January 2014 enrolments are 7,500 (full time) or 4,500 (part time) and include all learning materials and subscription/examination fees payable to the IIA. For further information, please visit our website: www.bcu.ac.uk/audit or contact us directly on mscaudit@bcu.ac.uk or 0121 331 6595 / 5623.
* Students may opt for a staged entry to study that recognises existing achievements and provides exemptions for relevant professional qualifications and will allow full qualification of CMIIA, subject to completion of the appropriate experience journal.

IIA Midlands Annual Conference

Excellent speakers from well known household names representing different sectors will spend the day focusing on the internal audit profession giving delegates the chance to discuss and share new and best practice. The day begins looking at how internal auditors can meet the expectations of non-executives and CEOs, focussing particularly around adding value. The second part of the day will consider how internal auditors can best get their message over to clients and how to promote their work as being essential to the success of the organisation. Lastly delegates will hear how to move ahead in the profession.
Dates/locations 4 July 2013 The Belfry Wishaw, Sutton Coldfield, West Midlands

Full details can be found on the website and you can register online at www.iia.org.uk For further information please email ciiamids.event@gmail.com

Additional news, features and views are posted online all the time. Go to www.auditandrisk.org.uk to see whats new.

UPDATE
Renew your membership
Your membership of the Chartered Institute of Internal Auditors demonstrates your commitment to the profession and gives you unlimited access to extensive internal audit resources. By renewing you will secure your place in the internal audit community and ensure that you are best prepared for todays internal audit challenges. Remember that, if you hold an IIA designation (CMIIA, PIIA, IACert, QiCA, CFIIA or FIIA) and wish to continue using it, you must maintain your membership. Renewal notices were sent to members in March. Now is a good time to ensure that the IIA has the correct contact details for you. To do so, please contact customer services. If you have not received your renewal, contact the membership team on membership@iia.org.uk or call 0207498 0101. Please note that members through an employers group scheme agreement will not receive a renewal notice. Subscription rates from 1April 2013 to 31 March 2014 are set out below and members can pay online.
2013-14 Fellow & CMIIA Voting Affiliate Student Retired 223 212 169 111 50

We round up the latest business and regulatory news to affect the internal audit profession.

HSBC chairman to speak at IIA dinner

Douglas Flint, group chairman of HSBC Holdings, is to be the guest speaker at this years annual IIA dinner. Flint has not only had a long and varied career in banking, but in 2004 he was invited by the Financial Reporting Council to set up a group to review theTurnbull guidance and suggest revisions.These were published as revised guidance by the FRC in 2005. He has been a member of the Accounting Standards Board and the Standards Advisory Council of the International Accounting Standards Committee Foundation. In June 2006 he received a CBE in recognition of his services to the finance industry. He became chairman of HSBC Holdings, Europes largest bank, in 2010. The annual dinner will be held on 20 June at the Guildhall in London. About 300 guests are expected, including over 100 heads of internal audit as well as senior figures from business, commerce and other professional bodies. For details or to book a table, call Kim Reed on 020 7819 1940 or email events@iia.org.uk.

34

Do your directors get the best from internal audit?

The IIA and the IoD have collaborated on a new publication explaining the value of internal audit to company directors. What every director should know about internal audit includes sections suggesting Ten ways to get the mostfrom internal audit; explanations of risk governance and the three lines of defence; and Top ten board practices for effective internal audit oversight . The publication also offers two sample internal audit charters andan exploration of the ways in which awell-supported internal audit function is a key component of corporate governanceand a vital tool for the board and audit committee. The document can be downloaded from www.iia.org.uk/policy/policy-publications

35

London to host the 2014 international conference

The Chartered Institute of Internal Auditors isproud to announce that it has been selected to host the IIA international conference in 2014. The IIA Global international conference committee chose London as next years location because of the success of the IIAs own national conference, supported by the award-winning convention facilities at ExCeLLondon, and the cultural and family attractions of the capital. The IIA international conference is the largest annual gathering of internal auditors. More than 2,000 delegates from 100 countries across the world will gather to hear international speakers, educators and professionals discuss a range of topics designed to enhance their knowledge and share best practice. Delegates will benefit from learning about the global audit experiences of recognised practitioners as well as expanding their professional network.They will also be able to visit a huge exhibition and then enjoy a gala evening that will bring the excitement of London and its history to life. Although 2014 still seems some time away, the institute has already started

The IIA is holding the largest annual gathering of internal auditors next year. It needs your help to make this an occasion to remember.
planning for the conference and it will be asking for your support very soon. Dont forget to visit www.iia.org.uk for regular updates about the event.You can also follow the IIA on Facebook, LinkedIn and Twitter for news and exclusive offers. FOR MORE INFORMATION If you are interested in speaking atthe event, nominating someone you know or volunteering your time, contact Ann Cantillon at ann.cantillon@iia.org.uk

Congratulations to the IIA members below, who were successful in the November 2012 exams.
The IIA is the only organisation offering recognised professional qualificationsfor internal auditors in the UK and Ireland.

Ackred, Matt R Aladejebi, Tolulope Arrowsmith, Steve Aziz, Nadeem I Baird, Barbara Barker-Arnone, Emma Bilsborough, Neil J IIA Advanced Bolton, Melissa M Diploma exams Breach, Paul J completed Brown, Rebecca L Byers, Matthew J W Ashmore, Victoria Cave-Ayland, Charlotte Colyer, Gary C Binney, Myles D Cooper, Richard B Bradshaw, Heather IIA IT Auditing Coulthard, Rachael Burrage, Peter Certificate exam Cowie, Amanda J Caddle, Mark S completed Dadhania, Jasmine Cameron, Angela Dadrah, Inderdeep Chalmers, Amanda Ashford, Natasha Evans, Saida Chumun, Mangesh Burns, John J Fanning, Nicholas R Clarke, Paula Cahill, Donal P Fittall, Rachel E Clarke, Steven Clarke, Stephen W T Flaherty, Alice Coveney, Paul D Cox, Leisyen Franklin, Andrew Davies, Victoria A Free, John M Shelton, Timothy C Goold, Anita C Spanner, Michael W Del Greco, Gabriella A Griffiths, Emma E Stanbury, Stephen P Dennis, Hannah E Haggerty, Robert J Whyte, Angela C Gilchrist, Laurie J Hainsworth, Richard A Gough, Paul Harris, Heather M C Hall, Mabel M Hay, Jason The following Hammond, Angela D M Hayre, Baljit students Hirst, Matthew Haywood-Evans, Andrew successfully Jackson, Craig S Howe, Sarah J completed the Jonas-Nartey, Jocelyn Jeffree, Andrew J following exams in Jones, Myra L Kaur, Sharonjeet November 2012: Keles, Mert Kendall, George P1 The Internal Kirtley, Robert B Kent, Benjamin AuditEnvironment Lapish, Kirstie E Long, Duncan Le Roux, Lone K Lucas, Kane A Abralava, Nini Maggs, Ian P Magog, Catherine E Aitken, Anne Majury, Stephen J Marshall, Imogen Al Ruqeishi, Yasir Manson, Christopher J Nicholson, Christian M Allen, Lisa M McClurg, Alan D OReilly, Elizabeth Amber, Tayba McDonagh, Philip Paling, Megan L Armstrong, Darren Mills, Catherine A Penlington, Mark J Baird, Barbara Mulligan, Kevin Baker, Donna M Shepherd, Douglas C Mulvey, Keith Brooks, Francia J Onasanya, Ayodeji Sloan, Linda Clegg, Richard J Owen, Gillian D Spencer, Jill Cowie, Amanda J Pap, Timea Tang, Adrian Dimopoulos, Georgios Parnell, Fiona J Tariq, Moazzam Doran, Fiona Pong, Jessica SRS17337-BarSim-BannerStrip-May12:SRS17330-BarSim-DPS-Mar11 Thomas, Craig Dunn, Debra K Powell, Gemma K Tyrrell, David Fanning, Nicholas R Proctor, Cassie Valenti, Nicoletta T Finch, Susan Rawal, Sohal Wagner, Svetlana Firth, Adam Redward, Tim J Winn, David R Fyhr, Jess Rees, Nerys E Wood, Matthew Goodredge, Faye Robb, Daniella L M Grun, Jakob J Woodward, Julie L Savage, Mark

In November 2012 the following students successfully completed the examined element of the IIA qualifications:

IIA Diploma examscompleted

Smith, Frances Smith, Lisa A Somerville, Sheryl Sully, Adam D Swift, David Thomas, Alex Vaughan, Noel P Velvick, Jonathan Virketyte-Lleshi, Inga Ward, James L Webb, Joseph Whitlam, Daniel J Wilkin, Gary A Wong, Maurice Wykes, Frances

36

Head, Steven Hedges, Sophie Hegarty, Caroline E Henderson, Tracy A Hood, Harvey Horsman, John Hurd, Samuel R Jeffree, Andrew J Kapembwa, Tuntu S Khanom, Kamrun King, Garry Lee, Anne Lee, John P Lyons, William M A Marco, Nagore McNeill, Angela Minina, Irina Mohal, Nazmin R Mulvey, Keith Nobbs, Kim R Norman, Suzanne P Page, Michael Pendleton, Jacqueline Perkins, Tess Potter, Sarah L Rees, Andrew Ritchie, Martin Roberts, Linsey Rowbotham, Thomas R Sheldon, Jennifer Smith, Lauren Somerville, Sheryl Starkie, Emma Starr, Carolyn F Swift, Louise M Symons, Andrew J Vicary, Yvonne J Webb, Joseph Wilson, Charlotte Winn, Alison J Yates, Sarah

Hainsworth, Richard A Harris, Heather M C Hay, Jason Hayre, Baljit Keenan, Ciara Keles, Mert Kirtley, Robert B Koterba, Silvan M Mahmood, Nassir M Manson, Christopher J Marco, Nagore McClurg, Alan D McDonagh, Philip Mills, Catherine A Moore, Jacquelyn Mulligan, Kevin Nobbs, Kim R OHalloran, Brendan C Parnell, Fiona J Perkins, Tess Pong, Jessica Proctor, Cassie Robb, Daniella L M Rollitt, Sarah A Smith, Frances Somerville, Sheryl Spurrier, Sarah E L Starr, Carolyn F Sully, Adam D Swanney, Mark Thomas, Alex Virketyte-Lleshi, Inga Watts, Jenny Wykes, Frances

P3 Internal AuditPractice
Abbas, Samuel M Abbott, Rachel Adams, Nicola C Allen, Lisa M Armstrong, Katie Baker, Donna M Barratt, Phillip A Bartlett, Sloane M Begum, Laila Brook, Rebecca J Brown, Rebecca L Bruce, Jennifer Chiocca, Michaela Chivers, Francesca Cuthbert, Sinead Dainton, Page 1 Suzanna A M Diable-White, Emma N Dimopoulos, Georgios Dunn, Jennifer L Edwards, Gareth Edwards, Matthew J C Eldridge, Steven D Evans, Saida

P2 Financial Risks and Controls

Ackred, Matt R Atkinson, Cecily M R Baird, Barbara Barrow, Gemma M Berry, David I Bolton, Melissa M Coles, Stephen D Colyer, Gary C Cooper, Richard12:11 B 17/4/12 Cowie, Amanda J Dadhania, Jasmine Dadrah, Inderdeep Eyre-Walker, Louise Fittall, Rachel E Greenhow, Triston J Griffiths, Emma E

Finn, Angela Free, John M Fuller, Daniel Gando, Loide Giblin, Marie Graffham, Alice Grant, Naomi Hampton, David Hazell, Stephanie V P Head, Steven Heaven, Gareth J Hegarty, Caroline E Henderson, Tracy A Herrington, Joanna Hodgson, David M Hood, Harvey Hussain, Belal Hyde, Darren J Jones, Emma F Kilcullen, Annette King, Garry Koterba, Silvan M Macdonald, David Margreaves, Michaela Martel, Gina Mboa, Marcel McCabe, James A McNeill, Angela Meates, Alan Mistry, Jaina Mulvey, Keith Nour, Khadija OHalloran, Brid OMahony, Rose Page, Hannah L Potter, Neil Rees, Nerys E Ritchie, Martin Rose, Anthony D Saffin, Alexis G Sands, Martin J Scattergood, Paula Shah, Nalin Sharp, Abigale Shufflebotham, K T Symons, Andrew J Taylor, Julie Taylor, Siobhan Trenchard, Charlotte Tuson, Richard Vaughan, Noel P Vhora, Salma Walker, Karen J Welsh, Robert Wicks, Laura E Wilby, Leanne Williams, Nanette R Wilson, Daniel J Wyatt, John M

Working with aspiring members of The Chartered Institute of Internal Auditors since 1989

P4 Information Systems Auditing

Ackred, Matt R Amos, Martin J Arrowsmith, Steve Baldwin, Tanya Barker-Arnone, Emma Bartlett, Stuart E Bessell, Robert Binnie, Andrew P7 Internal Audit Blahyj-Murfitt, V M Practice Case Study Boughton, Joanne E Clements, Sam O Aladejebi, Tolulope Colbert, Suzanne J Aziz, Nadeem I Couch, Nathan Cave-Ayland, Charlotte Coulthard, Rachael Flaherty, Alice Cowie, Amanda J Lapish, Kirstie E P5 Corporate Cull, Barrie A Nguyen, Dylan Governance Cuthbert, Sinead Ogunbona, Patience and Risk Dadrah, Inderdeep Savage, Mark Management Davidson, Blaine S Schembri, Johann Davies, Rachel Smith, Lisa A Abbas, Samuel M Diable-White, Emma N Whitlam, Daniel J Acton, Amanda Evans, Saida Bilsborough, Neil J Eyre-Walker, Louise Breach, Paul J Finch, Susan Brown, Rebecca L M1 Strategic Flaherty, Louise Bruce, Jennifer Management Free, John M Byers, Matthew J W Garner, Gemma L Clements, Sam O Ali, Mohammed K Goldsmith, Lorna C Doyle, Allan Atkinson, Andrea A Goold, Anita C Duffield, Deborah N Bennett, Alison A Griffiths, Emma E Dunford, Wayne L A Bennett, Helena Haggerty, Robert J Edwards, Gareth Binney, Myles D Hay, Fiona Eldridge, Steven D Braamse, Jacques Hay, Jason Fisher, Alexa C Bradshaw, Heather Hayre, Baljit Franklin, Andrew Briers, Imogen Hedges, Sophie Free, John M Brown, Steven E Holden, Russell Hampton, David Chalmers, Amanda Howe, Sarah J Haywood-Evans, Andrew Charlton, Alison R Jeffree, Andrew J Heaven, Gareth J Clewes, Joanne E Kaur, Sharonjeet Hood, Harvey Coveney, Paul D Keles, Mert Kilcullen, Annette Dennis, Hannah E King, Maria A Larcher, Timothy A B Elliot Cartwright, Lee B Kirtley, Robert B Lewis, Katherine J Flint, Paul A Laming, Adrian P Long, Cheryl Frankham, Barry P Le Roux, Lone K Majury, Stephen J Fuller, John R Macdonald, David Meates, Alan Gilchrist, Laurie J Maggs, Ian P Morson, Claire Graves, Sarah L A Majury, Stephen J OMahony, Rose Hanson, Barry N McDonagh, Philip Pendleton, Jacqueline Jackson, Christopher Mills, Catherine A Purdy, Sharon E Johl, Gursimran K Minina, Irina Rees, Nerys E Jonas-Nartey, Jocelyn Moorghen, Ming Reid, Oliver Lambert, Paul Morris, Christopher Rimmington, Mal Marshall, Imogen Murray, Rachel SRS17337-BarSim-BannerStrip-May12:SRS17330-BarSim-DPS-Mar11 Robinson, Jonathan E Matkin, Katerine M Neal, Gareth Sands, Martin J Mistry-Chauhan, Gita Norfield, Mark Sethi, Nittan Moore, Christopher D OKane, Ryan Smith, Adrian B Ni, Jun Feng Onasanya, Ayodeji Owen, Gillian D Smith, Kimberley A Pope, Robert Pap, Timea Swanney, Mark Reed, Philip Pong, Jessica Swift, David Robinson, James

Powell, Gemma K Proctor, Cassie Rawal, Sohal Redward, Tim J Robb, Daniella L M Rollitt, Sarah A Simoes, Pedro Sully, Adam D Taylor, Julie Telford, Chris Vaughan, Noel P Vose, Kathryn White, Jessica Wilkin, Gary A Wong, Maurice Yang, Ruoliu

Symons, Andrew J Telford, Chris Trenchard, Charlotte Vaughan, Noel P Velvick, Jonathan Ward, James L Webb, Joseph Wicks, Laura E Wilby, Leanne

Semken, Timothy Shield, Bernadette J Stenner, Mark Tang, Adrian Thomas, Craig Thompson, Sarah Thrupp, Michael J Towse, Mark N Wain, Ashley A Williams, Michael J Wood, Chris

M3 Risk Assurance and Audit Management

Adams, Wendy L Ali, Shiraz Braamse, Jacques Brooke, Simon Chumun, Mangesh Davie, Gemina Davis, Paul Robert Dempsey, Kim Fahy, Paul Ford, Robert S Forrest, William Fox, Paul F Fung, Malcolm Hammond, Angela D M Hanson, Barry N Harvey, Lisa E Harvey, Victoria M Hutchins, Alice C Jackson, Christopher James, Derly E Jones, Myra L Kailey, Rupinder Kendall, George Kent, Benjamin Kirk, Maureen Lico, Manjola Lucas, Kane A Mfula, Chisola Moore, Christopher D Ni, Jun Feng Osborne, Tania L Otero Tourino, Pilar Penlington, Mark J Pope, Robert Rickinson, Vicki E Seymour, Rebecca Southgate, Laura A Spilsbury, Grant B Talwar, Kieran Thrupp, Michael J Ujah, Chinyere C Wagner, Svetlana Ward, Theresa R

M2 Financial Management
Ali, Mohammed K Bartholomey, Jennifer Bennett, Alison A Binney, Myles D Bolster, Peter Brown, Steven E Caddle, Mark S Cameron, Angela Clarke, Paula Clarke, Steven Clewes, Joanne E Comley, Wayne Davie, Gemina Del Greco, Gabriella A Dixon, Joanna Ford, Robert S Fraser, Heather Gibson, Gary Hall, Mabel M Harrison, Andrew Hirst, Matthew Hussain, Zakir Jackson, Craig S Johl, Gursimran K Kailey, Rupinder Khan, Khadim Lambert, Paul Long, Duncan Magog, Catherine E Mearns, Vicki Meehan, Anthony Nicholson, Christian M Paling, Megan L Paul, Jennifer Robinson, James Rodgers, Sarah K Sloan, Linda 17/4/12 12:11 Spilsbury, Grant B Stenner, Mark Tang, Adrian Valenti, Nicoletta T Walsh, Susan Winn, David R Wood, Matthew

Clarke, Paula Clarke, Steven Coleman, Susan Coveney, Paul D Davies, Victoria A Davis, Paul R Del Greco, Gabriella A Dennis, Hannah E Edwards, Karen Fisher, Karen Gilchrist, Laurie J Gough, Paul Harrison, Sharon F Heather, Alison Hussain, Zakir Jackson, Craig S Jonas-Nartey, Jocelyn Jones, Myra L Kendall, George Kent, Benjamin Long, Duncan Lucas, Kane A Mistry-Chauhan, Gita Ni, Jun Feng Nicholson, Christian M OReilly, Elizabeth Otero Tourino, Pilar Paling, Megan L Patel, Jashita S Penlington, Mark J Ravindranathan, Ramah Seymour, Rebecca Shepherd, Douglas C Sloan, Linda Spencer, Jill Tang, Adrian Tariq, Moazzam Thompson, Sarah Tyrrell, David Valenti, Nicoletta T Veale, Peter Wagner, Svetlana Winn, David R Woodward, Julie L For more information on the IIA or its qualifications, contact the institute on 0845 883 4739, email info@iia.org.uk or visit www.iia.org.uk Disclaimer: although every effort has been made to ensure the accuracy of the above information, the Chartered Institute of Internal Auditors accepts no responsibility for any error or omission.

37

M4 Advanced Internal Auditing Case Study

Ashmore, Victoria Barnes, Calvin L

Barron, Page 1 Francesca H Belgrave, Natasha Binney, Myles D Brooke, Simon Burrage, Peter Burrows, David Caddle, Mark S Cameron, Angela

Working with aspiring members of The Chartered Institute of Internal Auditors since 1989

Events
For further information or to book, click the Training and events tab at www.iia.org.uk, email trainingandevents@iia.org or call 020 7498 0101. IIA regional events and special-interest groups should be booked directly with the organiser using the contact details provided.

IIA training courses & events

May
38

14-16 15 16

Internal auditing a beginners course Surrey

23-24 24

Value for money / performanceauditing London

18-20

Internal auditing a beginnerscourse York

IIA Scotland: risk management tools / business continuity planning software, AGM and annual dinner Edinburgh

IIA Midlands: current hot topicsfor internal auditors Birmingham

Assurance mapping a practitioners workshop York

21

IIA South West: an update on audit and risk latest trends St Peter Port

IIA Scotland: heads of internal audit workshop Edinburgh

Lean auditing delivering added value from audit in an efficient way York

June
4-5 6-7 6-7 7
IIA award in effective delivery ofaudit and assurance LONDON

25-26

IIA award in information systems audit and assurance York

10

Successful strategies for headsof internal audit London

16-17 21

IIA South West: annual conference Congresbury

26-27 27-28

Techniques for effective testing Dublin

Post your event

Risk-based internal auditing apractitioners course York

IIA award in interpersonal skillsfor audit and assurance London

IIA award in compliance auditand assurance York

IIA regions and specialinterest groups may include details of their upcoming events by contacting trainingandevents@iia.org.uk

21-22 22

Leading the audit team London

Getting to grips with risk London

July
2-5
Introduction to information systems auditing London

Please state the event title,date, venue and contact details.

Presentation skills for the lessconfident London

Insurance Internal Audit Groupquarterly seminar (for information, email contactus@iiag.org.uk) London

The deadline for the July/August issue of Audit & Risk is 17 May.

22-23

Auditing enterprise-wide risk management York

12-13

A practical guide to evaluatingrisks and controls Dublin

IIA Midlands annual conference West Midlands

A BREAKTHROUGH IN COMPLIANCE MANAGEMENT

Controls Management Meets Ease-of-Use and Flexibility

TeamMate, market leader in audit management systems, has released the controls management tool you have been waiting for to address your compliance needs such as:

P P P

SOX BASEL III Solvency II

P P P

IT governance UK Bribery Act Data privacy

Dynamic Working View Flexible TouchFocused Design

The highly flexible design and dynamic working view of TeamMate CM allow for quick access to relevant data and for performing multiple activities from a single screen. Designed and developed with extensive input from experienced compliance professionals, it can be used as a stand-alone solution or seamlessly integrated with TeamMate Audit Management System.

Offered in the Cloud

Learn more at TeamMateSolutions.com/CM or call 0207 981 0552

Copyright 2013 Wolters Kluwer Financial Services, Inc. All Rights Reserved. ARC-13-2940-18/04/13

Student noticeboard

Student noticeboard
Essential information for exam candidates. Visit the Student information centre at www.iia.org.uk for updates.
be available on the Exams pages in the Students section of www.iia.org.uk before the end of Tuesday 7 May. have affected their performance on the day will be subjected to rigorous scrutiny. Students who wish to submit details to the institute of extenuating circumstances occurring on the day of the exam must do no later than two weeks after the exam if these are to be accepted. This correspondence must be accompanied by evidence in accordance with the requirements of the policy.

Release of the pastpaper packs and the chief examiners reports

The past paper packs and the chief examiners reports for theNovember 2012 exams areavailable on the Exams pages in the Students section of www.iia.org.uk.

OU accreditation
Since 2007 the Open University has formally recognised that the IIAs professional qualifications are postgraduate level, with up to 60 general credit rating points for each of the IIA Diploma and the IIA Advanced Diploma, and up to 30 for the IIA Qualification in Computer Auditing. Members can use these ratings to support an application for another qualification that they wish to study for at a higher education institution. They may also take advantage of awards of specific credit towards particular OU distance-taught courses. Visit www.iia.org.uk/qualifications/ open-university-accreditation for further information.

Extenuating circumstances
Candidates wishing for extenuating circumstances to be considered in relation to their exams should ensure that they read the IIAs policy in full before making a submission. The test applied for the consideration of claims will focus on any effect the extenuating circumstances could have had on the day of the exam. Circumstances that have affected a candidates preparation weeks or even months before the exam and which are claimed to

Authority-to-sit correspondence for the June exams

40
Correspondence was sent out on or before Friday 3 May to members registered to sit the June 2013 exams. A copy of this correspondence must be taken to the exam venue, because candidates need to present it on entry to the exam room. Photographic ID must also be presented. If you do not receive your correspondence, email exams@iia.org.uk or call Aneta Zieba, assessment coordinator, on 020 7819 1928. Pre-exam instructions, exam regulations and the policy on special arrangements and extenuating circumstances are available on the Policies pages in the Students section of www.iia.org.uk. Candidates should read these in the run-up to the exams.

Publication of the June 2013 papers

The June question papers will be available from 11 June on the Exams pages in the Students section of www.iia.org.uk.

June 2013 exams

Exams will be held from Tuesday 4 June to Friday 7 June. Module IIA Diploma P1 The Internal Audit Environment P2 Financial Risks and Controls P3 Internal Audit Practice P4 Information Systems Auditing P5 Corporate Governance and Risk Management P7 Internal Audit Practice Case Study IIA Advanced Diploma M1 Strategic Management M2 Financial Management M3 Risk Assurance and Audit Management M4 Advanced Internal Auditing Case Study IIA IT Auditing Certificate A1 IT Auditing Certificate Multiple-Choice Questions Tuesday 4 9.30am to 11.30am Tuesday 4 Wednesday 5 Thursday 6 Friday 7 2pm to 5.10pm 2pm to 5.10pm 2pm to 5.10pm 2pm to 5.10pm Tuesday 4 Wednesday 5 Wednesday 5 Thursday 6 Friday 7 Friday 7 9.30am to 12.40pm 2pm to 5.10pm 9.30am to 12.40pm 9.30am to 12.40pm 9.30am to 12.40pm 2pm to 5.10pm June 2013 Time

Case-study materials
The case-study materials for theIIA Diploma and the IIA Advanced Diploma are due to

The UKs biggest annual gathering of the internal audit profession

Will you be there?

Thursday 20 June, 2013 at The Guildhall, London EC2V 7HH.
Special guest and after-dinner speaker: Douglas Flint CBE, Group Chairman, HSBC Holdings. Our annual dinner grows ever more popular and we are expecting more than 300 guests at this years event at the prestigious Guildhall in the heart of London. Home to the City of London Corporation, the Grade 1 listed Guildhall has been the Citys powerhouse for over 800 years and has provided a grand setting for State banquets and Royal occasions. Make new contacts, renew old acquaintances and catch up with news at the greatest gathering of the profession in the UK.

Sponsored by

BOOK NOW. Both individual tickets and corporate tables are available. Contact Kim Reed to reserve a place for you and your team. Tel: 020 7819 1940 or email: events@iia.org.uk

YOUR NEXT BIG MOVE IN AUDIT

LICENSEE AUDITOR ENHANCE AND ENSURE PROCESS
Bracknell, Berkshire, competitive + benets
Avis Budget Group is looking for a Licensee Auditor to join their expanding Internal Audit Department in EMEA. Working across the licensee network, you will gain a detailed understanding of the licensees key processes, systems and records and conduct audits to ensure licensees are properly reporting revenues and operating in accordance with their agreements. This is a highly commercial role requiring sound knowledge of current auditing techniques, the ability to interpret contracts and excellent interpersonal and inuencing skills. An interesting role with the opportunity of up to 50% international travel. Ref: 1810201 To discuss further, please contact Paul Clutton at paul.clutton@hays.com or call 0118 358 9240

INTERNAL AUDIT MANAGER BUILD POSITIVE RELATIONSHIPS

Aylesbury, competitive + benets
A long established nancial services organisation is looking for a condent and proactive individual to perform internal audit services as part of an integrated assurance programme. This varied role o ers the opportunity to build positive working relationships with all parts of the organisation and to work closely with the senior management team. Reporting to the Head of Internal Audit, you will plan and deliver internal audit reviews that provide independent assurance over the e ectiveness of risk management, governance and internal control processes. You must have demonstrable experience of delivering high-quality internal audit services in the nancial services sector. Ref: 1881048 To discuss further, please contact Paul Clutton at paul.clutton@hays.com or call 0118 358 9240

INSURANCE AUDITOR DEVELOP IN AN INTERNATIONAL TEAM

London, competitive + benets
This global business has an exciting opportunity for a Senior Auditor to join their team following growth across the international and UK business. You will be responsible for managing a number of operational and nancial audits across the corporate businesses and provide critical audit, risk and control advisory services. As a qualied Accountant of Chartered Internal Auditor you will have demonstrable experience in a nancial services or insurance environment. You will have proven track record in audit. In return you will be o ered opportunity to develop in an international team of 30 people across UK, Europe and the US. Ref: 1861297 To discuss further, please contact Sarah Kennedy at sarah.kennedy@hays.com or call 020 3465 0110

INTERNAL AUDIT MANAGER CULTIVATE A SECURE FRAMEWORK

London, 70,000 + benets
A new opportunity has arisen in this rapidly growing business which provides fund administration and back o ce services to private equity and real estate rms. You will set up the control and assurance business infrastructure across the organisation and facilitate both a strategic and hands-on role. With demonstrable auditing experience of private equity and real estate, you will be condent with setting up an internal audit framework. Candidates with a strong internal audit nancial services background will be considered if able to show a good academic background, the desire to be hands-on and excellent communication skills. Ref: 1879934 To discuss further, please contact Donna Bowden at donna.bowden@hays.com or call 020 3465 0110

These are just a selection of opportunities we have to o er, visit hays.co.uk/auditandrisk to search for your next big move.
hays.co.uk/auditandrisk

SF-6617-3 Audit & Risk 8 4 13.indd 1

19/04/2013 16:15

Internal Auditor
(25,666 to 33,481 Inclusive of High Cost Allowance) 37.5 hours a week Permanent We have an exciting and challenging opportunity within our internal audit department for a career minded individual seeking to develop and enhance their internal audit experience. This is a key role within the department and requires a high level of integrity, objectivity and competency. Guy s and St Thomas is one of the largest hospital trusts in the country, with around 12,500 staff; an annual turnover of more than 1 billion; and 1.6 million patient contacts a year. Our hospitals have a long and proud history and have been at the forefront of medical progress and innovation since they were founded. We also provide specialist services for patients from further a field. You will undertake a variety of interesting risk based audit assignments; covering all aspects of the Trust s business, including financial and non-financial activities. You will have experience of internal auditing, including planning, testing and reporting. Ideally, you will have made progress towards a relevant qualification. For an informal discussion, please contact Rosemarie White (020 71884139) or Matthew Wood (020 71884125). To apply, and view the job description and specification, please visit our website http://jobs.gstt.nhs.uk and quote job reference COF1138. For further information about the Trust please visit our website at www.guysandstthomas.nhs.uk Closing date for applications is 22nd May 2013.
Our excellent benefits include final salary pension scheme. Please visit our website to find out more. Equality of opportunity is our Policy.

IIA Annual Conference 2013

Expect more harnessing the power
How are organisations harnessing the power of internal audit to meet demanding new expectations, with resources under pressure, continuing economic uncertainty and new emerging risks? In both favourable and challenging economic environments the internal audit function meets the needs of the organisation by providing counsel, competency and assurance on the resilience of the risks and controls operating within the business. Find out how to identify problems before they happen, provide insights into the effective management of risk and add value to the organisation. Join us at the biggest internal audit conference in the UK and walk away with the knowledge to transform your internal audit function.
Dates/location 11-12 September One Wimpole Street, London W1

tel 020 7819 0101 fax 020 7978 2492 web iia.org.uk

corporate governance recruitment

London & City Asset Management Auditor London 35-50,000+Bens Regions Senior Internal Auditor Cambridgeshire To42,000+Bens
As a result of growth and acquisitions this leading business process outsourcer is seeking a senior internal auditor. Reporting to the Internal Audit Manager, you will plan, lead and deliver a variety of internal audit assignments. You will also be given the opportunity to liaise and build relationships with multiple stakeholders across the business. Strong internal audit skills are required along with a PIIA or equivalent professional qualification.

IT Audit IT Auditor South East To60,000+Bens

Working at this industry leading Plc you will audit their technology both in the UK and internationally. You will deliver a portfolio of audits covering application controls over key systems, interface controls, IT infrastructure, data centres, business continuity and disaster recovery plans. An IT audit qualification and the drive to succeed in a fast paced environment is essential. The role requires approximately 20% international travel.

Audit Risk Compliance Security Legal Treasury

London Edinburgh New York Dubai Hong Kong Singapore

This is a new position in a well known asset management group. They are seeking a part or recently qualified auditor with experience gained within the asset management industry, custody or investment banking/trading. The role covers all aspects of the funds business including equities, fixed income and alternative investments. You should have excellent soft skills and be able to foster good business relationships.

Internal Auditor London To40,000+Bens

This successful insurance and reinsurance provider is seeking an ambitious part or newly qualified auditor. You will undertake varied internal audit and SOx reviews often working with team members from their New York office. Travel is global and is likely to be approximately 20%. You will have a strong academic background and have internal or external audit experience from the insurance sector. Career development prospects are excellent.

Lead Auditor Cheshire To50,000+Bens

This diverse manufacturing group is seeking an experienced lead auditor to strengthen their assurance, audit and control environment. Based in Chester you should be professionally qualified and comfortable interacting with senior management across the group. You should have well developed commercial and interpersonal skills and have the ability to effectively challenge and change established practices and policies.

Associate Director London Six figure package+Bens

Working at this leading audit and risk consultancy you will assist the IT audit lead in business development whilst leading client engagements and developing strong working relationships with clients senior management. The role offers genuine development opportunities and you will be assessed on your ability to grow into a Director level role. Previous Big 4 or consultancy experience is essential.

Senior Internal Auditor London To50,000+Bens

Due to an internal promotion this leading entertainment group is looking to recruit an experienced internal auditor. You will be joining a global team and will help carry out the annual audit plan by completing a mix of financial, operational and compliance audits. You will be CMIIA/CCAB qualified with at least 3 years audit experience and keen to progress within a role providing broad experience of divisions across the group.

Senior Internal Auditor Europe Berkshire/Surrey To65,000+Bens

This expanding FTSE100 group is looking to strengthen and develop their well respected internal audit team with the addition of a professionally qualified senior European auditor. You will lead and complete financial and operational audits and the role will involve approximately 5065% European travel. The opportunity offers the potential for excellent career progression and a move into line management within three years.

IT Auditor North West To45,000+Bens

An opportunity has arisen for a Big 4 trained IT auditor to join the internal audit division of this successful banking group. You will deliver reviews of operating systems, database management systems or data network components and will work closely with key IT stakeholders. You will have a strong academic record, first class communication skills and will be a high achiever. Excellent career development opportunities are on offer.

Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW

Internal Auditor London 3545,000+Bens

This specialist financial services group delivers cash management, treasury and fund management services. As part of the audit team you will gain exposure across the whole group and will be encouraged to influence change. A background in financial services audit is required either from practice or an in house role. You should be CMIIA or accountancy qualified or if studying full study support is available. For further details of positions in London/City contact Alexia Demetriou 020 7936 2601 ad@barclaysimpson.com

Internal Audit Manager Buckinghamshire 4560,000+Bens

This life assurance group is seeking an Internal Audit Manager to facilitate bringing the previously outsourced function in house. Working closely with the Head of Audit you will assist in planning and delivering reviews and be expected to build strong relationships with 1st and 2nd line defence and the executive team. The successful applicant will be professionally qualified with internal audit experience gained in the insurance sector. For further details of positions in the Regions contact David Jarrold 020 7936 2601 dj@barclaysimpson.com

Senior IT Audit Consultant Midlands c.35,000+Bens

This is a chance to join a growing service line within this successful accountancy practice. You will lead and deliver audits in both the private and public sectors and will ensure assignments are completed on time and to budget. To meet the requirements of the post you will need to be qualified, able to demonstrate experience of auditing complex IT systems and have the ability to develop effective working relationships with clients. For further details of positions in IT Audit contact Daniel Flynn 020 7936 2601 df@barclaysimpson.com

020 7936 2601

Barclay Simpson Scotland 910 St Andrew Square Edinburgh EH2 2AF

0131 209 7850

bs@barclaysimpson.com www.barclaysimpson.com

Scotland Senior Internal Audit Manager Glasgow Excellent

This well known wealth manager is looking to recruit an experienced internal audit professional. This role focuses on providing oversight and assurance within the compliance monitoring function. This will involve identifying control failures and breaches and making recommendations to ensure minimal impact to the business. Previous management experience is required and a background in wealth management would be desirable.

International Senior Auditor UAE To120,000 Tax Free

This is an outstanding opportunity with a successful fund manager. Joining one of the leading audit teams in the region you will undertake reviews within a sophisticated environment covering a range of investment funds and support operations. You should have experience of auditing within asset management or investment banking and have the ability to influence fund managers to improve the control environment.

Nationwide Interim Opportunities

London South-Coast Yorkshire London East Midlands London North-West Surrey Edinburgh Internal Auditor IT Auditor Internal Auditor Head of IT Audit Internal Auditor Business Auditor Senior Auditor Audit Manager Senior Auditor Lloyds Market Financial Services Retail Banking Corporate Banking Financial Services Capital Markets Financial Services Insurance Financial Services 50,000 pro-rata 350 per day 40,000 pro-rata 650 per day 250 per day 475 per day 300 per day 65,000 pro-rata 400 per day

Senior Internal Audit Manager Edinburgh c.70,000+Bens

Our client, an expanding retail bank, wishes to recruit a proven internal audit leader. Working closely with the HIA and taking responsibility for the management of a small team you will assist with the compilation of the annual audit plan across all areas of the business. You will lead audit reviews and ensure the quality of the output of the internal audit team remains high. You will need to be IIA or CCAB qualified and have excellent people skills.

Senior Internal Auditor Switzerland Romandy CHF100,000140,000+Bens

This world class multinational group is seeking a senior internal auditor. You will be exposed to the challenges the group faces in optimising and streamlining their operations. You will assess risks in all areas of the business and will be part of a multicultural team. You should be a high achiever with experience gained from either the internal audit department of a multinational group or a Big 4.

Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte aw@barclaysimpson.com

www.barclaysimpson.com/interimsolutions

Senior Consultant Edinburgh & Glasgow 35,000+Bens

Our client is a well known consultancy providing co and outsourced audit and risk services to clients throughout Scotland. Working across a range of industry sectors you will be responsible for planning and delivering audit and risk work, managing client relationships and responding to client tender requests. In return for delivering a quality service this consultancy is offering real prospects for future career development and progression. For further details of positions in Scotland contact Liam Hughes 0131 209 7850 lh@barclaysimpson.com

Senior Auditor Munich To 70,000+Bens

Our client, a leading international fund management group, is seeking a senior auditor to join a team that reviews their German and Austrian operations. Planning and leading audits you will be responsible for managing relationships with stakeholders and help further develop the department. Previous fund or banking audit experience ideally in a German environment is desirable. Career development prospects are excellent. For further details of International positions contact Marie Marchi 020 7936 2601 mm@barclaysimpson.com

Market Report 2013

Up to date overview of the economy and its impact on corporate governance Sector analysis of the demand for internal auditors Review of salaries Outlook for the future
Download your free copy at: www.barclaysimpson.com

Visit

www.barclaysimpson.com
to access a vast range of free online resources
Search hundreds of audit vacancies Find your current market value Information on where best to live and work Focus on Computer Audit Latest information on qualifications
Barclay Simpson has been awarded the Diversity Assured Recruiter accreditation under the RECs Diversity Initiative.

For more details visit: www.barclaysimpson.com/equalopps

corporate governance recruitment

SEO Senior Internal Auditor

Leeds 33,675 London 37,175
The Department of Health provides strategic leadership for public health, the NHS and social care in England, their purpose is to improve Englands health and well-being and in doing so achieve better health, better care, and better value for all. Taking the lead in the integration of health and well-being into wider Government policy, they work with other sectors and systems with which they do not have a direct relationship, as well as integrating wider public policy into health and care services. They also represent the UK internationally on certain global health issues. The Group Internal Audit Service for the Department of Health is a small in-house team which provides audit services for the core Department of Health and its Arms Length Bodies (ALBs). Operating at SEO level you will report to the Audit Manager and be based at one of two locations; London or Leeds. Conducting a range of internal audits across the Department you will also have the opportunity to work with various ALBs including executive agencies, and non-departmental public bodies. You will lead/assist with a portfolio of audits ensuring effective planning, reporting and clearance of audit work. The post entails significant interaction with the business at a Senior level therefore effective communication of audit findings and recommendations will be a key part of the role. Successful candidates will be able to demonstrate a thorough understanding of Risk, Control and Governance and how these relate to the work of internal audit. Having gained your internal audit experience from either the public or private sectors you will: I Be fully qualified CMIIA or equivalent (ACA, ACCA, CIMA or CIPFA), I Have proven risk based internal audit experience gained at a senior auditor or manager level, I Have highly developed oral and written communication skills, and I Be able to demonstrate advanced influencing and persuasion skills. For further details and to request an application pack please contact either Daniel Flynn at df@barclaysimpson.com or David Jarrold at dj@barclaysimpson.com The closing date for applications is Tuesday 28th May 2013. All third party applications made directly to the Department of Health will be passed to Barclay Simpson.

Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW bs@barclaysimpson.com www.barclaysimpson.com

020 7936 2601

www.barclaysimpson.com