Issue 10 March/April 2013

The magazine of the Chartered Institute of Internal Auditors

Cheques and balances

Issue 10 March/April 2013

Michael Roemer, head of internal audit atBarclays, on the regulatory challenges ahead for banking

Overseas oversight: the legal pitfalls of entering new export markets Useful pointers: what watchdogs really want from the firms they govern Head above water: how United Utilities deals with its multiple regulators

a. a thorough reversal of outdated technology and complete adoption of TeamMate b. a fundamental change in your audit approach; especially the overthrow or renunciation of one system substituted by TeamMate c. a changeover in use or preference especially in Audit Management Systems

TeamMate is still the Innovation Leader after all these years:

The first Windows based Audit Management System in the world The first Audit Management System to introduce Smart Device functionality

<the TeamMate Revolution>

The Global Leader in Audit Management

Risk Assessment Risk Based Planning Scheduling Extensive Audit Content Electronic Workpapers Surveys Checklists Image Scanning & Annotation Automated Report Generation Full Issue Remediation Tracking Time & Expense Tracking

# of audit departments adopting TeamMate each day # of Languages in which TeamMate is available # of Countries in which TeamMate is Licensed # of auditors using TeamMate daily # of CPD hours delivered in past 3 years

1 14 105

90,000 104,000

020 7981 0566

Contents
20 24

Issue 10 March/April 2013

The magazine of the Chartered Institute of Internal Auditors

16
Issue 10 March/April 2013

Cheques and balances

Michael Roemer, head of internal audit at Barclays, on the regulatory challenges ahead for banking

18

Overseas oversight: the legal pitfalls of entering new export markets Useful pointers: what watchdogs really want from the firms they govern Head above water: how United Utilities deals with its multiple regulators

Published for the Chartered Institute of Internal Auditors byCaspian Media Ltd, Unit G4, Harbour Yard, Chelsea Harbour, London SW10 0XD 020 7045 7500 Editors Keith Ryan [email protected] 020 7045 7543 Ruth Prickett [email protected] 020 7045 7572 Chartered Institute of Internal Auditors [email protected] www.iia.org.uk 020 7498 0101 Subscriptions [email protected] 020 7498 0101 Advertising Ian Mehrer [email protected] 020 7045 7596 Creative director Nick Dixon Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited. ISSN 2048-8408.

Front
3 The IIA view
From the CEO, Ian Peters.

Features
12 Credit where itsdue
Why Michael Roemer, HIA at Barclays, is not fazed bythe challenges facing the banking sector.

REGULARS
28 Tools for the job
Resources, books and advice to help you perform.

5 World view
From Richard Chambers, IIA Global president andCEO.

30 Career development tips

Making secondments work.

7 View from the top

From Jonathan Kidd, headof internal audit at theMet Office.

16 Export essentials
The regulatory issues thatbusinesses need to consider when entering a new overseas market.

32 You asked us
Experts answer readers technical questions.

8 Update
The latest news affecting the profession.

34 IIA update
Institute news and membership matters.

10 RSVP
The institute is calling on financial services firms to respond to a new draft code for internal audit in the sector by 12 April.

20 Watchdogs or guidedogs?
Why many regulators are concerned about a lack of legal knowledge in the industries they oversee.

36 Courses and events

Key training dates.

38 Moving up
How one member earned an MBE for her services to governance in fragile states.

24 Going with the flow

How water company United Utilities manages the relationships with its multiple watchdogs.

40 Student noticeboard
Essential information for exam candidates.

We post more news and articles online every week. To access these, visit www.auditandrisk.org.uk

F pe rom ru se 1 r

If you want to get actions resolved use Symbiant Tracker

I have now completed this action

Symbiant Tracker will get your audit actions - actioned.

If your having a problem getting audit actions resolved, try Symbiant Tracker and see why its the worlds leading audit action tracking software. Watch the quick overview video at www.symtrack.com/video Trusted by names you know from charities to banks, government to PLC.
D WINNING SOFTWARE OF AWAR

For more information or to arrange a free trial visit:

www.symbiant.co.uk

View from the IIA

Appreciation gained A sense of realisation

Two tangible results have emerged from our strategy of engaging with policy-makers, regulators, business chiefs and leaders of the internal audit profession in financial services and the public sector.
Ian Peters, chief executive of the IIA.

As attitudes towards the management of risk develop and mature in the UK economy,our profession and International Standards aregaining a new significance. The institutes plans to broaden the recognition of internal audits valueare turning into reality. Two tangible results haveemerged from our strategy of profileraisingand engaging with policymakers, regulators,business chiefsand leaders of theinternal audit profession in boththe financial services industry and thepublic sector. Our initiativesin these areas are making this themost significant period for our policy work since I became chief executive more than three years ago. When I arrived at the institute, internal audit had been overlooked in the analysis ofthe causes of the financial crisis. The functionhad not been seen as part of the problem. Consequently, there was a risk thatit would not be seen as part of the solution, either. But since then we have worked hard to make the case to policymakers and standard-setters about the role that internal audit can play in the process oflearning lessons from the crisis and rebuilding confidence. With so many other constituents dominating the corporate governance and risk management headlinesand filling the seats at inquiries,

ithas often been difficult toget internal audits case heard. But our ears pricked up when we started hearing messages from the financialregulators about the need toharness internal audit more effectively. That led ultimately to the creation of an independent, industry-led committee to developnew guidance based on ourInternational Standards. That committee has produced draftrecommendations for guidance a first for the UK financial services industry upon which it is seeking comments. This is a milestone and it has been reported loud and clear not only in this country but also around the world. The article on page 10 explains thesignificance of the new guidelines for theindustry. There is another key initiative highlightingthe relevance of internal audit, this time in the public sector. This sector is astep further down the path to giving more recognition to the value of internal audit. From April, internal audit departments in central government, local authorities and other public service providers will have a better platform because for the first time theywill all be working to the same publicsector internal audit standards (PSIAS).

We have worked hard to make the case about the role that internal audit can play in learning lessons from the crisis and rebuilding confidence

The PSIAS are based on the International Standards with additional requirements and interpretations added for the UK public sector. Thesehave been developed by the Chartered Institute of Internal Auditors, workingalongside the Chartered Institute of Public Finance and Accountancy (Cipfa) and theother internal audit standard-setters across centraland local government, including the devolved governments andthe NHS. In collaboration with Cipfa, the institute has created an internal audit standards advisory board to draw together all the standard-setters in order to review the new guidance and, following a nationwide consultation, ratify it. The UK public sectors adoption of this new guidance sets higher expectations for the role and scope of internal audit and provides a consistent framework for its delivery across the sector. The guidance alsocreates a clearer basis for assessing theperformance and development needs of internal audit teams.

HAVE YOUR SAY

Post your comments about this article or any of the issues raised at www.auditandrisk.org.uk

Comprehensive Audit & Risk Management Software

Optimised for the world of cloud computing

Where will you be using Pentana Vision?

Global audit management software

Modern screen design that operates globally over a range of network speeds without the restrictions of a browser interface Flexible audit planning by entity structure & process Home screen identification of items for your action and review In-built audit methodology and audit report templates Simple deployment and automatic software updates Audit work can be focussed on risks identified from integrated risk registers

Pentana Vision

www.pentana.com/vision Enquiries: [email protected] Call: +44 (0)1707 373335

View from IIA Global

Key changes Giving clarity on conformance

Our new Standards, which took effect on 1 January, feature 18amendments. While some were changed only slightly, several of the changes are critical to the daily work of internal auditors.
Richard Chambers, president and CEO of IIA Global.
Like all credible standard-setting bodies, IIAGlobal has a rigorous process for developing its authoritative guidance: the International Professional Practices Framework (IPPF). This enables the International Standards for the Professional Practice of Internal Auditing to be updated in a timely way, minimising confusion and maximising clarity so that internal audit professionals around the world can comply more easily with them. Its reassuring that this mechanism is supervised by an oversight council, which has representatives from stakeholders such as the International Federation of Accountants and the World Bank. Thanks largely to this independent group and to the International Internal Audit Standards Board, revisions to our authoritative guidance are reaching practitioners faster than ever. I feel proud and secure in knowing that the Standards guiding our profession are backed by this level of rigour and oversight. Our revised Standards, which took effect on 1January, feature 18 amendments. While some were changed only slightly, several of the changes are critical to the daily work of internal auditors. First, the 2013 IPPF clarifies internal auditors individual responsibilities, as well as who is responsible for the whole functions conformance with the Standards. This has long been a concern, as most practitioners have no authority over the way all audits are done. The clarification states that individual practitioners are specifically accountable for conformance regarding their own objectivity, proficiency and due professional care. But it further states that accountability for the internal audit activitys overall conformance rests with the chief audit executive (CAE). Standard 1312 adds conformance guidance on quality assurance. To ensure ongoing quality and improvement, external quality assessments are required every five years, but self-assessments with independent validation are now acceptable. This change provides welcome flexibility, especially for teams unable to obtain a full external quality assessment owing to a lack of resources. A revision to the interpretation of Standard 2600 clarifies the CAEs role in communicating unacceptable risk. The CAE may do this via an assurance and consulting engagement; by monitoring progress on action taken by management as a result of prior engagements; or by other means. adjustments be made to the audit plan. It requires the CAE to review and adjust the plan, based on changes concerning the business, risks, operations, systems and controls. While this has been business as usual for many leading internal audit shops, its now required for all those wishing to conform. Standards 2120 and 2130 now require internal audit to evaluate the adequacy and efficiency of controls covering the organisations strategic risks. I and many others have discussed internal auditings role here over the years, so Im especially pleased to see that the Standards have addressed it. As well as evaluating the organisations effectiveness, efficiency, risk management and regulatory compliance, internal auditors are now required to play a key strategic role. I believe that bringing internal audit to the strategy table is a crucial step towards taking full advantage of the value it offers. I think you will agree that these changes are positive. At times like this Im reminded of how our profession has developed over the years and why I continue to be so fascinated by the work we do and the opportunities ahead. You can access a PDF of the revised Standards, which highlights the changes, on www.theiia.org.

Accountability for the internal audit activitys overall conformance rests with the chief audit executive
Clearly, it is not our job to fix whats wrong. We assess the risks and give our objective opinions, while managers implement corrective action and manage the risks. Because change is unavoidable in organisations, the audit plan must also be dynamic, allowing for revisions when needed. Standard 2010 mandates that timely

For further information

Richard Chambers writes a blog at www.theiia.org/blogs/chambers and tweets at www.twitter.com/IIACEO

Get PIIA qualified

Sign up now for the IIAs comprehensive distance learning programme for the IIA Diploma to sit exams in November 13. Our programme gives you the structure you need to successfully complete your qualifications including:
s Online support s Committed and experienced tutors s Consistently high pass rates s Bespoke and up-to-date study materials s Study support and revision workshops s The peace of mind knowing you chose the Institute for your studies

Kick off your revision for the June 13 exams by attending one of our Revision workshops.

Dont delay get qualified! Contact IIA Learning: Tel 020 7819 1939 email [email protected] www.iia.org.uk/learning

View from the top

On the map Finding a clearer outlook

Because the Met Office has such complex IT and a wide range ofactivities including commercial ones ensuring that my internal audit team covers the right areas is a big challenge.
Jonathan Kidd CMIIA, head of internal audit at the Met Office.

The public-sector internal audit standards that take effect in April state that the chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organisation and that this can be achieved through risk-based plans to determine the priorities of the internal audit activity, consistent with the organisations goals. When you have limited resources, its clearly impossible to cover everything, but which issues should be prioritised? This question is particularly pertinent to me in my role at the Met Office. With 1,800 employees at 60 sites worldwide, it makes 3,000 forecasts a day using more than ten million weather observations and sophisticated computer modelling. These are delivered to the public, the armed services and many other organisations. Because the Met Office has such complex IT and a wide range of activities including commercial ones ensuring that my team covers the right areas is a big challenge. Weneed to focus our resources efficiently at the start of the audit planning cycle and continue doing so as we deliver the plan. Itsalso crucial to make this process clear to our senior executives and audit committee. To achieve both of these aims, we use two tools: an assurance risk map and a rolling audit plan. Assurance risk mapping can be time-consuming and complex. But, as with any tool, it should be used with a pragmatic attitude and adapted to the task in hand. Ive seen many failed assurance mapping attempts simply because the task was approached as an academic exercise rather than to achieve a purpose.

The inputs for our annual planning cycle are still included from traditional sources, such as risk registers, business plans and any critical change activities. Priorities are also still set using a standard scoring mechanism based on areas such financial impact, strategic importance and complexity. Understandably, it produces a list of potential audits that we cant cover fully with limited resources. This is where a pragmatic application of assurance risk mapping

No single approach fits all organisations, but reinventing the wheel is not always the best solution
really adds value. It gives a clear view of all proposed audit work in the context of corporate objectives and risks, the appetite for risk, internal audit work in the past three years and assurance provided by other lines of defence. We can instantly see areas of concentrated audits where the levels of, or appetite for, risk dont warrant so much attention and perhaps where assurance levels are already high. Similarly, any gaps

are clear to see and audits not previously identified can be added to the planned work. Thisvisual representation also highlights the transparency and robustness of our planning process to the auditcommittee. Any potential audit work not selected in this process is added to the rolling plan. This document is reviewed and amended regularly. Ifa new risk is identified, if the risk priorities or appetite change, oreven if we receive a request for audit work, this goes on to the rolling plan and is categorised before being added to the assurance map and assessed against the annual plan. Although this works for the Met Office, experience has taught me that no single approach fits all organisations. But reinventing the wheel is not always the bestsolution. Often a pragmatic applicationof the tools available to you will ensure that the audit plan continues to support your organisation as its plans, activities and riskschange.

About the author

Jonathan Kidd has over 15 years experience in audit and IT, gained in banking, telecoms, accounting and the public sector. He is a member of the IIAs Heads of Internal Audit Service.

Additional news, features and views are posted online all the time. Go to www.auditandrisk.org.uk to see whats new.

UPDATE
Guidance for audit committees
Audit committees are facinganother challenging year in 2013. Continuing economic uncertainty; globalisation; digitisation; and increased government regulation and enforcement are reshaping the business and risk environment. To help audit committees and their boards meet all these governance challenges, KPMGs Audit Committee Institute has published a guidance document, Audit committee priorities for 2013.

We round up the latest business and regulatory news to affect the internal audit profession.

Public sector gets its own set ofstandards for internal audit
Governance and risk management in the public sector will be strengthened on 1 April when new internal audit standards come into force. It is hoped that their adoption will help to meet the need highlighted by the National Audit Office to support the process of change and deficit reduction across government. The standards, which were developed by the IIA in collaboration with the Chartered Institute of Public Finance and Accountancy (Cipfa) and other relevant standard-setters, will create a framework for delivering internal audit services across the sector. The guidance also creates a clearer basis for assessing the performance and development needs of internal audit teams. The standards are based on the International Standards set by IIA Global, with extra requirements and interpretations specific to the UK public sector.They were reviewed by the Internal Audit Standards Advisory Board and ratified after a national consultation process. Cipfa and the IIA have created two training courses for finance and internal audit professionals on implementing the standards, which set clearer expectations for the practice of internal audit for all those who use its services: accounting officers and executive management, boards and audit committees , said Ian Peters, CEO of the IIA. The new guidance points the way in building the capabilities of internal audit and harnessing its full value to effective corporate governance. Steve Freer, CEO of Cipfa, added: As the public sector adapts to sustained funding reductions and continues to roll out major reform programmes, effective internal audit is more crucial than ever in ensuring transparency and accountability in the management of risk. The standards can be downloaded from www.iia.org.uk

The guidance can be found at bit.ly/U8WPCZ

Cyber risks go under radar

Many companies still do not devote enough attention to cyber risks, despite an increase in the frequency, scope and sophistication of online crime and harsher regulatory penalties, according to the Federation of European Risk Management Associations (Ferma). Only 16 per cent of companies covered in a recent survey sponsored by Ferma said that they had a designated chief information security officer to oversee online risk and privacy, while fewer than half (49 per cent) said that they had astrategy for communicating to the general public if they were to suffer an attack via the internet. The survey also found that regulatory and compliance concerns were driving most cyber risk planning. To read the survey, Meeting the cyber risk challenge, visit bit.ly/WGOIPN

Internal audit falls short of committees expectations

Fewer than half of UK auditcommittees think that the internal audit function is working effectively, a survey has found. According to a global poll of 1,800 audit committee members by KPMG, only 48 per cent of UK respondents said that they were fully satisfied that internal audit was adding the value that it should, while 32 per cent said that the internal audit plan could focus more effectively on critical risks. Only just over a third of UK respondents said that they were fully satisfied that their companies risk management process were dynamic enough to cope with emerging IT and social media risks. The full survey report can be downloaded from www.kpmg.com/aci

Natural disasters cost world 200bn

Impact Forecasting has issued its Annual global climate and catastrophe report , which reveals that 295 natural peril events occurred worldwide in 2012 (compared with 257 in 2011), causing total economic losses of $200bn. While these losses were close to the ten-year average, insured losses in 2012 were 36 per cent higher than average, because the two most costly events of the year occurred in the US, which has higher-than-average insurance penetration.

MPs warn against risky plans for Audit Commission

Plans to overhaul the audit regime for local public bodies contain serious risks and gaps that could make it more difficult to ensure value for money incouncil spending, a committee of MPs has warned. If enacted in its current state, the draft local audit bill would complete the closure of the Audit Commission by April 2015 and allow local authorities to appoint their own auditors from 2016. But the ad-hoc committee believes that the plan for each council to agree its own audit deal would not represent valuefor money and could even cost more than the Audit Commission. The committee has published a report calling for a central procurement body to ensure best value, as well as for the bill to be amended to give the National Audit Office a stronger role in the local audit regime. It also wants the auditorgeneral to publish detailed audit guidance alongside an audit code for town halls. For more details visit bit.ly/10BwOCD

FTSE firms urged to hire female directors

The secretary of state for business, Vince Cable, has called on the seven remaining FTSE-100 companies with all-male boards to increase the number of women in their boardrooms. Cable wants Antofagasta, Croda, Glencore, Kazakhmys, Melrose, Vedanta and Xstrata to explain what they have done to improve diversity at board level. Over the past two and a half years we have seen real progress in the number of talented women reaching the boards of our top companies, he said. My vision by 2015 is that Britain will not have a single FTSE-100 board without a significant female presence. For Cables full statement, visit bit.ly/VmlyCo

To see the report visit bit.ly/q11KnK

Firms learn lessons in risk from London 2012

A BT survey into the insights gained from the London 2012 Olympic Games has found that 62 per cent of UK organisations believe the event taught how to cope better with disruption and uncertainty. More than 80 per cent made business continuity plans, which they started an average of 28 months before the games took place.

Banks wary of further DDoS attacks

Nearly two-thirds of IT security experts in banks had to deal with at least one distributed denial-of-service (DDoS) attack in 2012, according to a poll sponsored by Corero Network Security. More than three-quarters of respondents to the survey of 650 IT security professionals at 351 banks also said that such cyber attacks would either continue at the same rate or significantly increase in number this year, leaving banks vulnerable to downtime and compromised data. Read the report at bit.ly/WjpLuH

Read the findings atbit.ly/UJaRwu

RSVP
Words: Grant Murgatroyd
A new draft code for internal auditors in financial services aims to help internal auditors protect their organisations from future scandals in financial services and restore confidence in the financial system. The draft code was published on 11 February and the deadline for comments is 12 April. Chief among the recommendations is that internal auditors report to board chairmen instead of executives. The independent committee behind the draft code is concerned that executives could unduly influence internal audit if, for example, internal auditors directly reported to them for HR and remuneration purposes. The code says internal auditors remuneration should be structured in a manner such that it avoids conflicts of interest, does not impair their independence and objectivity and should not be directly linked to the short-term performance of the organisation. The committee was set up by the IIA and is chaired by Roger Marshall, audit committee chair at companies including insurer Old

The IIA is calling on financial services firms to respond to a draft code aimed to help organisations restore trust and benchmark their internal audit functions.
Mutual. It comprised nonexecutives, executives and internal audit and risk management practitioners from across the financial services sector. Observers included the Financial Services Authority (FSA), the Financial Reporting Council and the Bank of England. Andrew Bailey, director of the Bank of England and managing director of the FSAs prudential business unit, welcomed the draft code, arguing that financial firms had expected too little of internal audits in the past. The regulatory authorities expect firms to have robust internal audit functions capable of providing genuine challenge to management. I hope that this guidance will help internal audit functions position themselves to achieve that. The code builds on guidance from the Basel Committee and the US Federal Reserve Bank, but takes into account the UK corporate governance system and the complexity of UK financial institutions. Recommendations include that:

10

The regulatory authorities expect firms to have robust internal audit functions capable of providing genuine challenge to management

}
Swiss bank UBS 29.7m for systems and control failings that allowed London-based rogue trader Kweku Adoboli to lose 1.4bn. The regulator is also investigating how a trader at the London office of JP Morgan lost 6bn last year. The new code is an important contribution to strengthening internal audits role in improving the management of risk, in response to the financial crisis and more recent examples of failure to exercise proper control, says Marshall. Our aim is to encourage internal auditors to obtain a consistently wide view across the range of risks within their organisations and exert greater influence in ensuring that those risks are managed throughout the financial services sector. This will help clarify internal audits role in relation to, for example, the quality of information on which boards base their decisions, or whether the risks associated with key decisions such as on takeovers, are properly managed. Dr Ian Peters, chief executive of the IIA, said that the code enhances internal audit standards set by IIA Global and is the first guidance specifically aimed at UK financial services firms: It is now vitally important that the sector provides its feedback on the draft code to ensure that it can support internal audit to perform its role to full effect, he said. The consultation document can be found at www.iia.org.uk/ fsconsultation

It is now Internal audits primary vitally role is clearly stated as important helping to protect the that the sector assets, reputation and provides its sustainability of their feedback organisation.
T he scope of internal audit should be unlimited internal auditors should not be barred from assessing the management of any risk in any part of the business. Internal audit should assess whether the organisations processes and actions are in line with its values, ethics, risk appetite and policies. To ensure its independence and authority the primary reporting line of internal audit should be to the chairman of the board of directors, not to the chief executive. Internal audit should be adequately resourced, skilled and quality assured. Once finalised, the code will provide financial services firms with a benchmark so that boards and regulators can assess the effectiveness of organisations internal audit functions. A lack of internal controls has been blamed for the scandals that have led to hefty fines for many companies. In February Royal Bank of Scotland was fined 391m by regulators in the US and the UK after traders attempted to manipulate Libor, following a 290m fine meted out to Barclays for the same offence last year. Other scandals have also thrown light on the deficient risk controls in financial firms in the City. Last year, the FSA fined the



11

12

here is no such thing as business as normal in banking , says Michael Roemer.The head of internal audit at Barclays has reason to know. Having cut his teeth on a series of banking mergers, he served as chief auditor at US insurance giant AIG in 2005-09 a tough period for the company, which ultimately had to be bailed out by the Federal Reserve. In 2012 Roemer moved to a new job in London at Barclays, only months before the bank faced allegations that its traders had been involved in fixing the London inter-bank offer rate (Libor). Roemer therefore has experience of difficult conversations with regulators, but the challenging times have reinforced his conviction that internal audit needs to be fully engaged at the highest levels of the organisation. Influence comes hand in hand with responsibility, but a dose of pragmatism is needed, too, he says. In a crisis its important to focus on what you can control, not on what you cant. Constant change is the new normal you have to understand that, Roemersays. I tell the team that we can provide world-class internal audit and be responsible to the shareholders, the board and the regulators, but we must expect constant change.

A guiding hand
Delivering world-class internal audit depends on a shared understanding of consistent world-class standards, which is why Roemer has been contributing to the formalisation of new guidance on

internal audit in financial services.The independent committee running the consultation will report to the IIA with proposals for a new code of practice. This is intended to define the scope of work for internal audit across the sector and to provide support that will enable the function to influence and challenge management at the highest level.These are all subjects close to Roemers heart. But it is not enough to have the best standards.They must be widely understood, so that they can be used across the whole function.Thisis one reason why Barclays has signed up to a unique worldwide IIA training and membership package for its team of nearly 600 internal auditors in 20 countries, each of whom becomes a member of their national IIA organisation. It is also supporting a project to give new recruits accreditation in the IIA Certificate in Internal Audit and Business Risk through the Barclays new entrant learning journey , while in South Africa its sponsoring a masters programme in internal auditing at the University of Pretoria. Internal auditors need to be worldclass and professional in all theydo and one way to do this is to gain IIA accreditation and professional qualifications, Roemer explains. Thisadds value to the organisation aswell as developing the individuals. Webelieve that regulators will view this relationship with the IIA positively. For Roemer, training and succession planning are a vital part of running a

To say that Michael Roemer is aman for a crisis would be an understatement. Barclays HIA explains why hes well versed atkeeping cool under pressure.
Words: Ruth Prickett Photographs: Peter Searle

Credit where its due

In a crisis its important to focus on what you can control, not on what you cant. Constant change isthe new normal you have to understand that

13

internal audit team. He remains proud that the internal candidate whom he recommended as his successor at AIG is still there today. His belief in the value of people management skills has been tested in the toughest conditions: at AIG he had to maintain the teams morale while the organisation was under intense press scrutiny and his function faced internal enquiries. Roemer was proud that the regulators subsequently cleared internal audit of negligence in the lead-up to the companys collapse.

You need courage to tell the board that you disagree with the CFO and CEO

Savoire-faire and impartiality

Communication is another crucial skill for internal auditors, according to Roemer, who has learned to adapt his style when dealing with executives, regulators and external auditors. Knowing when to be sensitive and when to be courageous is critical. At AIG, for example, the company was valuing certain positions that we thought were inappropriate. You need courage to tell the board that you disagree with the CFO and CEO, he says. The regulators are an increasingly forceful presence in Roemers sector and banks are already working hard to implement what they introduce. But he believes that internal auditors should work closely with the watchdogs, even when not under scrutiny. Regulation shouldnt be a box-ticking exercise. Regulators should be treated in the same way as any client or colleague. Our aims are complementary they want to help firms manage risk and treat their customers fairly, he says. Im a big believer in forging strong relationships with regulators. I make a point of meeting them in all the areas where we operate and I discuss issues with them all the time.You have to work with them and provide the information they need to do their jobs. Roemers pragmatism and soft skills have been honed over a career of managing problems. Born in New York, he worked in accounts at New York bank Manufacturers

14

HanoverTrust as a student. After graduating he secured a job there in internal audit. Hestayed for many years and was involved in several mergers, all of which gave him unique challenges and learning opportunities. Internal audit was an important part of each merger and I gained experience in every other part of the business, he says. By the time we merged with Bank One Corporation in 2004 Iwas also head of staff for internal audit and was an ex officio member of the investment bank management committee. But, when the chief internal auditor role in the merged organisation went to another candidate, Roemer moved to AIG as chief auditor in 2005.There was a lot of work to do. It took him six weeks to find out how many internal auditors were on the payroll (350). Fifteen people reported directly to him and there

In profile: Michael Roemer

Roemer started work at Manufacturers Hanover Trust in NewYork and then transferred to Atlanta for four years. Back in New York he worked on mergers with Chemical Bank, Chase Manhattan, Robert Fleming, JP Morgan, Hambrecht & Quist and Bank One Corporation. In 2005 he became chief internal auditor at AIG. He remained there until 2009, working through the rescue of the company and the ensuing regulatory investigation. After a brief stint at a start-up venture he became chief auditorat CIT Group. He relocated to London to join Barclays in January 2012. He appeared before the parliamentary commission on banking standards as part of a panel to answer questions following the issues of the summer. He is a member ofthe IIAs Internal Audit Leaders Forum for FTSE-100 heads of internal audit and has contributed to the fact-finding process in developing new guidance for thefinancial servicessector.

were 15 different audit reporting systems, none of which was automated. Roemers first task was to integrate the internal audit team, automate processes and start developing relationships inside the organisation and with the regulators. Again, he ensured that he was an ex officio member of the management committee. Its important to demonstrate the value of internal audit to the organisation, he says. Weneed to show what we do and why we matter. We need to change the idea that all internal audit does is assurance work. The first signs of the credit crisis came to AIGs attention in summer 2007. Roemer and the external auditors alerted the board. The situation got steadily worse and it was very stressful, but at all times internal audit was an active participant, gathering intelligence and auditing the companys response, he recalls. After the US government took over the company in September 2008 Roemer and the internal audit team had to keep going despite a tense atmosphere and negative press. The regulators spent two months reviewing internal audits performance before the crisis. Roemer says it concluded that internal audit had raised appropriate issues on time and had worked with the external auditors and the board. I learned some important lessons that would prove useful during the Libor crisis at Barclays. Inacrisis you have to start with your team and help them to understand what it meansfor their jobs and what the company needs from them now, he says. But Roemer was affected by the experience. I was comfortable with my teams performance and what we had done, but I was still chief auditor of a company

management skills. He hopes that more business experience will give internal auditors skills in product development and general management.

A dream career
Roemer is keen that Barclays internal auditors should be qualified with the IIA and be encouraged to network and share best practice externally. When I started as an internal auditor I initially thought Id made a terrible mistake, he confesses. I was at a meeting and one of my colleagues had fallen asleep. It looked as though this was where you went to end your career. Now its completely different. Internal audit is a place to start a great career and your skills can benefit the whole company.The IIA plays a huge part in getting this message across. There are more upheavals on the horizon most obviously, massive regulatory changes. Roemer does not expect these to cause big shocks, buthe also sees new risks evolving.These include developments in operational risk and enterprise risk management and to internal controls, which, he believes, need to be more automated. Financial services providers will also need to differentiate themselves more, while technology and service levels will become increasingly important. The banking crisis intensified the focus on internal audit, and in doing so has forced the function to raise its game, he says. Financial services are also affected by tail risk from issues such as Libor and the mis-selling of payment protection insurance. Although these are not problems now, well have to deal with their consequences. Roemer is confident that internal audit is in the best place to meet these challenges. His experience in the sector has been bumpy, but never dull. Whatever happens next, he is keen to ensure that the next generation of internal auditors are ready to face the future at Barclays and to make the profession ever more valuable to the sector.

Regulators should be treated in the same way as any client or colleague. Our aims are complementary they want to help firms manage risk and treat their customers fairly
that had needed to be bailed out and that had been the subject of very negative press, he says. couldnt resist. It was a great opportunity to work on a global brand, a bigger platform and in a different part of financial services, he explains. No sooner had he got his feet under the table, however, Roemer found himself dealing with the fallout of attempted interest-rate manipulation at the first bank to be identified by the authorities. A few months after arriving in London he was answering questions at the parliamentary commission on banking standards. These experiences on the front line have crystallised Roemers belief that internal audit can act as a more forceful, valuable asset to business. You need to demonstrate the unique perspective of internal audit and its ability to look across the entire organisation, he says. I believe that internal audit should be a source of talent for the whole company. In order to achieve this, we need to move people around to develop their expertise and knowledge of the business. This position, Roemer says, gives internal auditors the chance to hone their communication, analysis and relationship

15

Out of the frying pan

Seeking a change, he accepted a job at a start-up organisation. He built the audit delivery model it needed, but then heard that CIT Group was looking for a chief internal auditor. He had worked with the company before, but it was now an independent organisation run by JohnThain, with whom he was keen to work. CITs audit function had been criticised by the regulators and Roemer saw that the team was under stress. As in previous roles, he ensured that he was on the management committee and that internal audit got involved in far more than assurance work, including due diligence and acquisitions. Hebuilt the internal audit team from 50 to 75, introduced a performance management system and developed processes to improve the firms relationship with the regulators. Roemer had no plans to leave CIT, but when he was approached by Barclays he

Plastic carrier bags attract a levy in Hong Kong. UK marine radios dont need to be retested in Germany. Legislation based on EU directives applies in some countries that arent EU states and this legislation can also vary between member nations. Who knew? The fact is that, when British and Irish companies decide to tradeacross borders, there is a lot to think about not least the labyrinth of legal requirements to comply with when trading in a new market. A beginners common error is to assume that the EU rules you observe at home are the same across Europe, says Peter Hogarth, regional director for the east midlands at UK Trade & Investment (UKTI). He notes that specifications for many goods have been harmonised at EU level, but there are still exceptions because different countries interpret directives into national law differently. This means that

16

Export essentials
Words: Wilma Tulloch

exporters can be caught out. You might say: I did it this way for Germany, so it should be fine for Italy. Well, it isnt necessarily, Hogarth says. You really have to be aware of the regulations by country. Dont make assumptions. Producer responsibility regulations are another potential pitfall.This hazard has been created by the fact that the world is running out of crucial resources such as oil, aluminium ore and precious metals, which creates pressure to recover and recycle those materials a costly process. One solution is to make producers, as well as users, bear some of that cost. This has given rise to producer responsibility regulations. The first such legislation was an EU directive on packaging waste. In response, the UK enacted the Waste Packaging Regulations 1997. These require each UK business turning over 2m-plus and handling 50 tonnes or more of packaging a

When in Rome, do as the Romans do is a good motto for firms looking to trade overseas. With myriad regulations to consider, how can internal auditors help their businesses to avoid the pitfalls of doing business abroad?

You might say: I did it this way for Germany, so it should be fine for Italy. Well, it isnt necessarily. You really have to be aware of the regulations by country

year to register with the Environment Agency; todisclose the amount of packaging it puts into the market; and to contribute to the cost of recovering or recycling that material. While the UK was legislating, all the other EU member states, including Ireland, were enacting their own laws to take account of the directive, explains Duncan Simpson, sales and marketing director at Valpak, an environmental compliance consultancy. But these are not all the same, hesays. They may have different thresholds in different countries; they may require you to have a physical entity in the country or they may not; they may charge different rates for recovery and recycling; or they may require companies to report data at different frequencies. So, although the national laws should be broadly similar, the details can differ in every member state. Thats what makes complying with producer responsibility legislation so complex. Also, after the packaging legislation, the EU introduced a similar directive on waste electrical and electronic equipment. A growing number of markets beyond the EU are adopting producer responsibility legislation, too hence the plastic bag levy in Hong Kong. Inthe US (bearing in mind that each state can have different regulations from those of its neighbours), textiles, tyres, pharmaceuticals and several household products are also subject to producer responsibility law. The number of markets with this type of legislation isonly set to grow, according to Simpson.

17

Taking ownership
Another complication of producer responsibility is that its not always clear who is liable and when, because the regulations tend to cover both producers and distributors. You need to know where materials come from and where they go, Simpson says. Do you own them all the way down the line? Or, if someone does something with them on your behalf, what are the legal ownership issues?

In the Middle East and some developing markets, we can find out about rulings only when the product is delivered to port

18

Its better, he explains, to work out your liability well in advance to factor that cost into the business plan before getting involved in overseas markets. That way you avoid any unpleasant surprises. A firm with a long experience of avoiding unpleasant surprises abroad is Dorset Cereals, which sells its breakfast cereals and cereal bars in 80countries. Its main markets are the US, Canada, the Netherlands and the UAE. Jeremy Stoker was its international commercial controller for four and half years (he is now commercial marketing manager). He cites the regulations of the Australian Quarantine and Inspection Service (AQIS) as legislation thats particularly challenging. The details it requires are almost to the point where you have to reveal your manufacturing secrets, he says. This is something that not all suppliers are happy to do. The company which prides itself on its carefully sourced ingredients was asked by the AQIS to fumigate or roast the sunflower seeds in its muesli. This was because the Australians had had a bad experience with another supplier, whose sunflower seeds had germinated. This had created a potential breach of bio-security regulations designed to keep the country free of exotic imported pests and diseases. Fortunately, Dorset Cereals and its local distributor were able to negotiate their way around the requirement.

How in practice does Dorset Cereals maintain compliance in 80 global markets? Stoker explains that it often finds out about the changing regulations that apply to its products through its import partners. We also work with trade associations and with Leatherhead, he says. Leatherhead Food Research is aspecialist agency that, among other services, provides international regulatory advice. Stoker says that regulators in Europe, North America and the more developed Asian nations tend to give three months notice of any change. But thats not the case in every market. In the Middle East and some of our developing markets, we can find out about rulings only when the product is delivered to port, hesays. Thatrequires Dorset Cereals localpartner to conduct dockside negotiations. Inaddition, Stoker adds: Typically we will send a letter to the authorities asking for leniency while we makechanges as quickly as possible.

Helping companies to succeed

What do internal auditors need to know about compliance in overseas markets? Probably mainly that its complicated, but not insuperably

Just say no: bribery and corruption in foreign markets

There may have been a time when firms trading abroad felt the need to adopt local business customs, even when those involved the odd brown envelope. But the clear message coming from the UKTI is: dont do it. EU legislation led to the UK Bribery Act 2010 and the Prevention of Corruption (Amendment) Act 2010 in Ireland. The former created four offences: bribing another person; receiving a bribe; bribing a foreign public official; and a new corporate offence of failing to prevent bribery. UKTIs Peter Hogarth explains that you can be prosecuted in the UK for what you do overseas, including cases where somebody providing services on your behalf an agent or distributor, for example commits bribery. The act is really quite clear about your liability should you get involved in anything like that, he warns. And, although this is a UK act, it applies to Irish companies and partnerships with a business presence in the UK. In both jurisdictions, organisations should ensure that procedures are in place to prevent people associated with your organisation from being involved in acts of bribery. To help, the UK Ministry of Justice has issued guidance that suggests six key principles to follow to determine what procedures must be put in place. Visit www.justice.gov.uk/legislation/ bribery or bit.ly/AntiBriberyIreland forfurther information.

Everybody else in your market is going to have to comply with the same rules that you are

so. Hogarth stresses that would-be exporters shouldnt be deterred. As he says: Everybody else in your market, both domestically and internationally, is going to have to comply with the same rules that you are. There is also a lot of help out there. UKTI can call on people around the world who can help to identify the legislation that applies in different markets. Enterprise Ireland fulfils much the same role for Irish companies looking to export. Among other things, it has representatives in over 60 countries and conducts in-depth market research. It also supplies mentors and external experts who can provide advice. The Department for Business, Innovation and Skills (Bis) can help British exporters and overturn legal and regulatory barriers that appear biased in favour of domestic operators. The UK Single Market Centre within Bis includes the Point of single contact , the online e-government portal enabling services businesses to research information on how to do business in other member states. And Solvit offers firms practical assistance if a problem should arise with the public authorities of another member state. For example, Solvit persuaded the German licensing authority that UK marine radios did not need to be retested in Germany in order that radio-station licences could be issued. Further help in exporting in Europe can be obtained from the Enterprise Europe Network (see contact details, below). When exporters fail to comply with overseas regulation, it can result in fines, impounded goods, additional costs and a loss of reputation. But, when these companies get it right, the rewards are undoubtedly worth the compliance effort. USEFUL resources UK Single Market Centre: bit.ly/SingleMC UK Trade & Investment: www.ukti.gov.uk/export Solvit: bit.ly/SolvitEU Enterprise Europe Network: bit.ly/EENportal

19

Watchdogs or guide dogs?

20

Several industry regulators are havingto devote a growingproportion of their resources to advisingfirms, rather than policing them. Whilethey are largely happy to do so, some are concerned about companies lack of basic knowledge and common sense in the compliance process.
Words: Neil Hodge Illustrations: Toby Morison

Data protection is not privacy protection. Organisations can share personal data the eight data principles have allowed this for the past 15 years

While some organisations are overzealous in how they interpret and observe the regulations that govern them, others take a far more relaxed attitude, believing that they are fully compliant andsafe from censure unless their industry watchdog investigates them. Regulators say that both approaches are unsatisfactory and run the risk of penalty. They are mystified as to why so many organisations find their rules so hard to understand. In many cases the regulators have drawn these up after lengthy consultations with the very enterprises they oversee. And often the laws and principles that organisations are supposed to observe have existed for decades.The Health and Safety at Work Act dates back to 1974, for example, while the precursor to the UK corporate governance code the Cadbury report was published in 1992. Undeniably, such legislation has been updated and extended, but rarely completely overhauled, at least not without a transition period. Organisations and internal auditors should therefore have few problems following them. Jonathan Bamford, head of strategic liaison at the Information Commissioners Office (ICO), whichoversees the safe handling of personal data, is one of those regulators whos mystified. Considering that the UK has had data protection legislation in place since 1984, it is strange that people continue to struggle with it, he says.

21

Way off base

One of the most common examples of the widespread lack of understanding is the mistaken belief that personal data cannot be shared among organisations. Data protection is not privacy protection. Organisations can share personal data the eight data principles have allowed this for the past 15 years, Bamford says. He points out that the ICO which has the power to prosecute individuals and fine organisations up to 500,000 for breaches of the Data Protection Act 1998 has received 200,000 calls on its helpline requesting guidance on the legislation in the past year, compared with 13,000 complaints about

We are looking for a proper assessment ofrisks, an understanding of the issues and amethod to identify control weaknesses andremedy these where appropriate
breaches of it. Most enquiries have come from organisations rather than individuals. No organisation should suffer in silence, Bamford says. If you have doubts about data protection, call our helpline on 0303 123 1113 and we can offer advice. He adds that the ICOs approach is to encourage organisations to comply, rather than to punish them , and that it can make free advisory visits with an organisations consent to highlight potential problems. It also hosts an annual data protection officers conference to improve peoples understanding of what the regulator is seeking. So far this year the London Borough of Camden, the Metropolitan Police Service, NHS Grampian, Northumbria ProbationTrust and Somerset County Council have had advisory visits. Most have agreed to the ICOs publication of its findings. Such reports not only provide useful feedback for the bodies involved; they can also be used as a guide by others seeking a better idea of regulatory tolerance ie, what the ICO will allow. assessment of risks, an understanding of theissues and a method to identify control weaknesses and remedy these where appropriate. Approaches will differ from oneorganisation to the next, but this is fine as long as management and internal audit can justify these. Trainer says that the CQC has moved towards a risk-based approach over the past few years in light of Sir Philip Hamptons 2005 report, Reducing administrative burdens: effective inspection and enforcement , which considered how to cut unnecessary red tape for businesses without weakening controls. Hampton set out some key concepts that should be applied consistently throughout the system.These included the principles that regulators should use comprehensive risk assessments to focus resources on the areas that need them the most and that no inspection should take place without a reason.The report also stated that regulators should make low-cost advice easily accessible. Regulators are generally implementing the Hampton principles and encouraging organisations to benchmark their own compliance efforts. The CQC also encourages organisations and internal audit to approach it directly if they have compliance queries. Ifin doubt, look at our website, Trainer advises. It contains all the necessary information that boards, internal audit and compliance officers need to ensure that their approach is correct, given their risk profile and circumstances. Other than that, internal auditors can call our contact centre in Newcastle on 03000 616161 with any queries. We will be only too happy to help.

22

Open-door policy

Other watchdogs agree that they dont want to punish organisations that come forward with compliance concerns. Matthew Trainer, deputy director of operations at the Care Quality Commission (CQC), which regulates health and adult care services nationwide and can ban people from working in the sector, says that it isnt looking for uniformity . Trying to achieve a one-size-fits-all model is not appropriate where we are looking at organisations of very different sizes in very different circumstances, he says. We are looking for a proper

People should have more faith in their own judgment

Trainer also recommends that organisations should get to know their local CQC inspector better. There is nothing wrong with asking for our inspectors contact details so that you can call them for advice. They are there to guide organisations as well as to enforce standards, he says. The CQC welcomes it when organisations are proactive and open about the potential governance problems facing them, according toTrainer. A chief executive of an NHS trust called me recently to say that his A&E department had admitted three times more patients over one weekend than normal and that it had been unable to treat everyone in the usual time. While the hospital had solved the problem, he was expecting to receive some complaints, so he thought it was best to notify us immediately, he says. This is the kind of attitude were looking for, because it indicates a clear reporting and accountability structure. Problems will always occur, but in this case the trust acknowledged these and took appropriate steps to deal with them. And, because it has informed us, we are in a position to help. But some regulators may find it difficult toestablish closer relationships with the organisations they oversee. Indeed, in some cases an arms-length approach is desirable. RoryTaylor, spokesman for the Competition

have any enforcement powers. A companys shareholders not the FRC will decide whether or not its financial reporting, risk disclosure, board composition and remuneration practices are suitable.

Led astray
Some regulators believe that in a few cases, at least the confusion about, and misinterpretation of, their rules is because of the negligence of third parties such as lawyers and consultants who provide compliance advisory services or training. There are undoubtedly some organisations out there making money from giving bad advice, Bamford says. If you have concerns, contact the ICO directly. Trainer adds that it is a source of real frustration to the CQC that our regulations can be misinterpreted to such an extent, sometimes by companies that provide training in regulation . In one case in the past year, a dentist claimed that she was warned to remove magazines from her waiting room because otherwise her surgery would fail a CQC inspection. In another, an 89-year-old woman was forced to walk home from her GP surgery in the rain after it turned away her husband whod come to collect her. It wrongly told him that CQC rules forbade it to disclose whether she was still there or not. Toadd insult to injury, the CQC doesnt even regulate GP surgeries (it starts from April). Both incidents were a result of poor advice from a third party. No one wants to see these kinds of incidents, Trainer says. Common sense is usually the best indicator of whether an organisations approach is the right one to suit its circumstances. People should have more faith in their own judgment. Bamford agrees. We arent looking to prosecute companies as a first resort, he says. Our job is to ensure that organisations take data protection issues seriously and to advise them where we can. Its not to hit firms over the head with a big stick although we have the power to do that when necessary.

The CQC has moved towards a riskbased approach over the past few years in light of Sir Philip Hamptons 2005 report, Reducing administrative burdens: effective inspection and enforcement, which considered how to cut unnecessary red tape for businesses without weakening controls.
Commission, which considers whether companies could gain too large a share of their markets as the result of mergers, says that engagement is difficult . The reason is that the commission cannot give preliminary advice on such deals because we may have to rule on them later and also because companies dont need to consult any authority before engaging in a merger . Taylor says that a company should check the Competition Commissions rules to get a better idea of the circumstances under which the commission could instruct it to unwind a merged entity or require divestments in other parts of the business.The publications section on its website would be a good starting point, he says. But even following the guidance to the letter can be inappropriate in some cases. Chris Hodge, director of corporate governance at the Financial Reporting Council (FRC), points out that a companys compliance with the FRCs code of corporate governance does not in itself constitute goodgovernance. The code cannot guarantee effective board behaviour because the range of situations in which it applies is much too wide for it to attempt to mandate behaviour more specifically than it does, Hodge explains. Boards therefore have a lot of room within the framework of the code to decide for themselves how they should act. While the FRC can advise companies about technical aspects of the code, it cannot guarantee that their actions will be approved by their investors, he warns. We are a unique regulator in the sense that we dont

23

Key facts United Utilities has: 5,000 employees.  180 reservoirs.  56,000 hectares of catchment land. 42,000km of water pipes. 76,000km of sewers. 569 waste-water treatment works.

24

If our regulators are clear about the results theywant us to achieve, rather than the processes behind them, thats very helpful

Going with the flow

Words: Ruth Prickett
Water is fundamental to life. Before you go to work, you wash, make tea, clean your teeth and put on the washing machine. Its a silent service that you really only notice if it goes wrong. Its our job to bring all our customers clean, clear water and take it away again so that they can simply get on with their day. So says Mark Lenton, head of audit and risk at United Utilities Group, who admits that he is passionate about his business. A FTSE-100 member, United Utilities is the largest listed water company in the UK. One of ten licensed to provide both water and waste-water services, it serves over three million households and 200,000 businesses in north-west England. Itnot only has to keep seven million consumers happy; it also has to satisfy several regulators. While the rules set by its business regulators, such as the Financial Reporting Council, affect all companies, there are several core regulators specific to its sector. Water, like the other utilities, is tightly regulated and the rules are constantly evolving, according to Lenton. Ofwat is the industrys economic regulator. Itassesses the quality and efficiency of a water companys services and sets the prices it can charge. Prices are agreed on a five-yearly cycle and in the process Ofwat considers the services

Mark Lenton, head of audit and risk at the UKs biggest water plc, leads a team thats nearly outnumbered by theamount of watchdogs that oversee the industry.
25
that the provider agrees to deliver. All water and waste-water companies in England and Wales are working towards agreeing the content of their next five-year business plans from 2015. Stakeholder engagement is key to our plans success. We need to involve our customers and other stakeholders and to demonstrate that theirpreferences are reflected in our submission, Lenton says. In this price review Ofwat has introduced customer challenge groups, which look at the quality of each companys engagement. They test that proposals fairly reflect and balance different customers views and arepart of an overall business plan thats likely to be acceptable to them.

Aqua ticks
Water quality is regulated by the Drinking Water Inspectorate, while the Environment Agency is responsible for overseeing the standard of the treated water thats returned to the environment. It also regulates how much water a supplier can take from its various sources. In our catchment areas around reservoirs we try to capture efficiently as much of the water that falls on these as possible and manage how it flows into the reservoirs, Lenton explains.

Regulations are certainly We found ourselves in afront situation where in atthe of my mind and some countries there could be as many as seven thoseof my colleagues and standalone Save the Children others acrossorganisations thewater sector

26

United Utilities is also accountable to Natural England, which identifies sites on land owned by the business in regions such as theLake District. The company must show that it manages these areas to conserve the natural environment and protect and enhanceits biodiversity. Lenton doesnt have an army to deal with all these regulators. Wehave eight in our audit team, although we have several co-sourcing relationships with external companies, which means that we can access extra skills and resources when these are needed for specific audits, he says. In the past few years weve also introduced the concept of guest advisers/auditors. These are people from the wider business who can bring specific knowledge to the team. Ofcourse this has to be done without compromising the integrity of the audit or the individual you cant have someone marking their own homework but when its done well it really helps us, gives the individuals a chance to develop key audit skills and encourages internal communication.

Staying current
This kind of cross-business working is vital in order that Lentons small team can keep up with all the regulatory developments. People across the organisation are responsible for monitoring regulatory changes and dealing with the regulators from day to day.

These individuals get involved when necessary in consultations and will ask regulators for clarifications or updates. Lentons team comes in at the next level, providing assurance over how the business responds in compliance with key regulations. Were increasingly trying to apply the three-lines-of-defence model of assurance. This helps to clarify organisational responsibilities, support coordination and confirm our own third-line assurance role, Lenton explains. We keep an eye on regulators websites and attend regulatory and industry events, ofcourse Im on the IIA Internal Audit Leaders Forum and I talk to external auditors, the big four and others about the hot topics in theprofession but the information we use depends on a whole web of people and systems. Although some changes dont require internal audits involvement, according to Lenton, we have to consider how they affect responsibilities and assurance activities and whether management has implemented adequate actions to ensure that these activities are still appropriate. A lot of this is about monitoring and building relationships in the company. The need to deal with changes from the regulators is one reason its important to keep audit plans flexible. While a core base of audits forms a subset of the plan that his team will aim to undertake in a year, he says its important to be able to change this if, for

far more at outcomes and are more willing to let us work out the best way to comply and provide assurance. After all, Lenton says, his company wants to enhance customer service as much as the regulator does, so all parties should be working together to improve performance in this area.

Glass half full

If our regulators are clear about the results they want us to achieve, rather than the processes behind them, thats very helpful, he says. Itis better for our business if we can build the information and assurances they need into what we do every day, so its business asusual, than if we have a group of people running around gathering the information and assurances needed in a particular format. Its also more likely to achieve the results they want. This creates a new emphasis for internal audit in its work on whether the people responsible for these day-to-day processes understand the ultimate aims, respond effectively and provide the assurances that internal audit would need in order to demonstrate compliance. Internal audit is therefore focusing more on building relationships to develop this understanding through the business. The change may be subtle, but it requires internal auditors to work more closely with the business and to continue checking that the right messages get through and that processes are adequate, relevant and understandable. The team is spending less time on gathering information and focusing more on adding value to the organisation, according to Lenton. Internal audit is part of the business its independent, but still part of the business, he says. As well as doing formal audits we can help management by, say, reviewing plans for new processes at an early stage and suggesting ways to improve them. This makes things more efficient. Regulations will continue to be a key part of internal audit at United Utilities. Lenton has been at the firm for three years and admits that he has seen significant regulatory change. Regulations are certainly at the front of my mind and those of my colleagues and others across the water sector, he says. But some of these changes seem to be helping his team blend assurance into the broader company processes ever more seamlessly. Providing the best service to customers, as reflected in its helping life flow smoothly message, is central to United Utilities strategy. Supporting that, it seems that Lenton and his team are playing their part in the smooth flow of regulatory compliance in their organisation. for more information IIA Global has published a position paper entitled Thethree lines of defense in effective risk management andcontrol. Visit www.iia.org.uk to download a copy.

27

example, a more important matter comes to the attention of the management or risk team. Regulation is only one area that may affect our plans, of course, Lenton says. But, because we are a highly regulated industry, this is more important to us than it is to many other organisations. His team is also mindful of regulatory developments that have emerged in other sectors and it asks whether similar issues could also affect United Utilities. Recenthistory has seen interventions in the gas and electricity industries as well as in financial services and retail. These may not be immediately relevant to the water industry, but Lenton says its up to the internal auditors to provide a balanced view of any emerging risk of this kind and to discuss the scale of the risk with management. In determining an appropriate audit response, he considers what the company is already doing in this area and what other sources of assurance may exist. Sometimes he will bring forward a planned audit or schedule an extra one. But, while fines and stricter requirements have been imposed in some sectors recently, Lenton says he has seen a shift among many regulators to a less prescriptive approach, which he welcomes. We used to have a very formal reporting approach requiring lots of specific data, herecalls. Now many regulators are looking

Water is a silent service that you really only notice if it goes wrong

Tools for the job

Rapid-response team
The way in which you deliver your findings will affect the quality of the replies you receive from the auditees. Leo Mucheriwa CMIIA explains how to ensure that they respond with a prompt, concise and effective plan of action.
Many internal auditors underestimate the time and effort they have to spend chasing management for appropriate responses to their findings. Irrelevant responses not only hold up audits; they can also undermine the resulting audit report. A response should contain managements plan for correcting or improving the situation you have found. Buthow do you ensure that you agree about what constitutes an appropriate response? For a start, its important to specify your requirements as early as possible in the process. The initial meeting is a good time to explain to management how you expect them to respond to your findings. It is easy for internal auditors who have created a good rapport with management to neglect some of the fundamentals of an opening meeting. Dont let familiarity lead to too much informality. Everyone in the meeting needs to know what is going to happen and how regardless of how often they have been audited before. Audit is a formal corporate governance process. You dont want surprises, false expectations or misunderstandings to hamper progress. Communicate your findings as they arise. This way you wont end up sending management a daunting pile of findings with a tight deadline for a response. It will give you more time to deal with any disputes. Before you put anything in writing, discuss your findings in detail with the auditees and ensure that they have the authority to respond. There is no point discovering later that someone else will draftthe response. This causes delays and misunderstandings. If the auditee does not have the authority to respond, try to hold a meeting with both the auditee and the personwho does. It is vital to identify the individual with overall responsibility for the area being audited. When you have discussed and agreed the findings with management, try to put these in writing within 24 hours so that they are still fresh in peoples minds. State each finding clearly and concisely. Describe each issue, its impact, the specific findings and your recommended solution. Set a deadline for managements response 48 hours is a good target. If management misses your deadline, email a reminder, copying in the next manager up in the hierarchy. The response you need from management is a plan for corrective action, not a defensive statement. Getting background information is nice, but its not your main concern. Naturally, management may want to explain why certain controls werent working properly before they produce a corrective plan, but the executive and board dont need to be overloaded with unnecessary historical detail. You can split the management responseinto two sections: what wasnt working properly and why; and what will bedone to correct it. Its important to explainto management what information from their response will appear in the reportand what will not. When you send your findings to management, include a template showingwhat constitutes a plan for corrective actionand what doesnt. For example, amanagement response should: Respond directly to the findings and yourrecommendations. Clarify any information in the findings thatis not factually correct. Specify the corrective actions that will betaken. Identify the individuals who will be responsible for taking these actions. Provide a specific and realistic scheduleforimplementation. Be clear and concise. Be provided no more than 48 hours afterthe audit findings are received. A management response should not: Contain defensive statements. Include unnecessary background information on the causes of problems. Include information irrelevant to the findings or the action plan. Obtaining the right management response straight away saves time for bothyou and management, and it limits thescope for confusion. This is your audit, sotake control of the process.

28

LEO MUCHERIWA CMIIA is assistant vice-president, group internal audit, for Butterfield Bank. The IIA runs a training course entitled Ultimate persuasion techniques. Visit www.iia.org.uk for further information.

IA TB half page SPRING 2013

5/2/13

15:37

Page 1

Great expectations
As business becomes ever more complex and the risks faced more challenging, the demands on internal audit keep increasing: provide more assurance, add further value, become a business partner and remain independent.
The effectiveness of internal audit crucially depends not just on what it does, but on understanding the views and expectations of its key stakeholders. Thinking Board can help you to do this as part of your self-assessment of internal audit effectiveness. Thinking Board draws on Independent Audits expertise in conducting external reviews of internal audit. Easy to use, it helps you gather feedback from a wide range of people across the organisation. Its imaginative questions tell you more than youd expect. Vivid reports allow easy analysis and ready insight. For more information about Thinking Board, or to discuss Independent Audits experience in external effectiveness reviews, please contact: [email protected] +44(0)20 7220 6584 [email protected] +44(0)20 7220 6545
A service from

Independent Audit Limited, 4 Bury Street, London EC3A 5AW

IIA South West Conference 2013

Striving for success
The SW annual conference continues to go from strength to strength.There is another great line up of topical sessions delivered by expert speakers to help you manage successfully in todays challenging environment. A number of authoritative speakers from the public and private sectors will present topics including achievement of business objectives, latest threats to your IT systems, supplier spend efciency, identifying and detecting fraud, doing business without bribery, risk management and an interactive session on how people make poor decisions.
Dates/locations 16/17 May 2013 Hilton Conference Centre, Cadbury House, Congresbury, Bristol

tel 07747 150 122 fax 020 7978 2492 email [email protected]

2330_South West Conference HP 2012.indd 1

17/01/2013 17:54

Career development

Every secondment
If you are offered a temporary work placement with another employer perhaps even in a different function from internal audit youd be well advised to jump at the chance. So says Chris Monk, whose organisation, Uniac, and its staff have long reaped the benefits of secondments.
Illustration: Russell Cobb
Uniac is a shared service that provides internal audit and assurance services tothehigher education sector. We are owned by, and are the internal auditorsfor, our 11 member universities. Wealsoprovide one-off services to non-member universities. As a sector-specific internal audit function we are constantly challenged to keep up to date with best practice emerging from other industries and to continue developing the specialist skills and knowledge required in our field. One way inwhich we meet these challenges is through secondments. Almosthalf of our staff have spent time on secondment somemore than once. These have varied greatly in content and length: anything from two weeks to 12 months. But what are the pros and cons of secondments?

30

The benefits
The big advantage of secondments is their power to develop people. We find that they help to build peoples confidence moreoften than not, secondees are obliged to perform outside their comfort zones. Theyalso provide exposure to fields that maynot necessarily be experienced while doing Uniacs audit work and help secondeesto develop networks with other audit professionals. From the individuals perspective, secondments help to demonstrate that you are keeping your skills and knowledge up to date, which always looks good on a CV. Other benefits depend on which of the following three types ofsecondment we use: l Secondments to and from other internal audit functions. Theseare the least common in Uniacs experience, but we want to provide more of them. This type of placement can bring huge benefits through the exchange of knowledge via exposure to

Its vital to choose candidates with the right skills for thesecondment and to maintain contact with them throughout to ensure that everything is going smoothly

counts

different audit practices. Secondees can return to Uniac and challenge the way we do things. The same can be said when we second people to Uniac. Before the end of theplacement we sit down with the secondee to discuss their impressions of our organisation the good aspects and the not so good. We have learned lessons from them about resource planning, audit planning and reporting, for example. Wehave also used secondments to obtain specialist skills that we may not necessarily have in-house, or simply to provide an extra resource at times when our workload is particularly heavy. l Secondments to the universities we audit. These placements are usually, but not exclusively, in finance and accounting. Such secondments give our professionals a deeper understanding of the universities and this, we believe, results in more practical audit recommendations. Secondments can also facilitate the development of relationships with key contacts, which can prove useful during later audits. They are beneficial to the universities, too. Secondments can remove some of the pitfalls associated with using temporary staff, enabling the secondee to remain focused on the task in hand rather than looking for their next assignment, for example. The university can also easily contact the secondee with any queries after their placement has ended. Secondments into Uniac from universities have helped university staff to improve their understanding of the purpose and role of our service and of the challenges we sometimes face in the course of our work. This can be helpful in countering negative perceptions of internal audit. l Secondments to the sector regulator. Weregularly send our staff on secondment tothe Higher Education Funding Council for England. The experience improves Uniacs wider understanding of the watchdogs requirements, allowing us to apply this in our audit work. It also gives us aninsight into potential regulatory changes while helping tobuild the regulators confidence in Uniac and its staff.

maintain contact with them throughout to ensure that everything is going smoothly. Secondments may be lengthy, but by definition they are temporary, so we always keep any member of staff who is working away from Uniac updated on whats happening back at base so that they still feel part of the team. There is a risk that the secondee enjoys it so much at their host organisation they end up leaving Uniac to join it. This has happened and, while its not a desirable outcome for Uniac, itcan indicate to stakeholders the qualities and strengths of our people. We believe that secondments are excellent vehicles to provide a varied experience for staff, to refine our own approach and to identifyand share best practice across different sectors. That is why Uniac is always looking to build new relationships with other internal audit teams. Chris Monk is director, Uniac. Ifyou are interested in organising secondments either to or from Uniac, please contact him at [email protected] or on 0161 247 2851.

31

How Uniac works

Uniac is governed by a board with a representative from each of its 11member universities and three directors overseeing itsday-to-day management to ensurequality of service. Theorganisation has 16 auditors who work in universities with a combined turnover of nearly 2bn, a student body of 287,000 and a workforce of 39,000. Although its a shared service that operates in one sector, the universities Uniac audits are very different and the risks that affect them can differ widely. In England, where Uniac does most of its work, the main regulator is the Higher Education Funding Council for England (HEFCE). Although each university is a legal entity in its own right with its own decision-making powers, it is a requirement of thefunding agreement with the HEFCE to have an effective internalaudit function. As such, the council takes a direct interest in the scope and results of Uniacs work. For example, the service hasto provide an annual opinion for all of the universities it audits (reported viathe audit committee) on their internal controls, governance, risk management, value for money and data quality. Given the new tuition fees regime, the higher education sector is facing significant changesto its governance system. Most teaching funding is transferring from the HEFCE to individual students via the StudentLoans Company and therewill be a revised regulatory framework, which is still being formulated, although its expected that the HEFCE will remain as the lead regulator.

The pitfalls
Clearly, we must ensure that any secondment does not impinge on Uniacs independence. To this end, we have a formal process to ensure that the secondee will not be involved in auditing the specific area that they have been seconded to or from. When people are pushed out of their comfort zones on secondment, the experience can boost their confidence, but the opposite can happen if things do not turn out as planned. Ifthe placement goes awry, it will not only be difficult from the secondees perspective; it may also harm the audit teams reputation. Its vital to choose candidates with the right skills for the secondment and to

You asked us

Q&A

Our technical helpline provides valuable advice to members on a host of professional issues. Hereare some of the questions youve submitted recently.
Q. Im starting from scratch in my new internal audit role.Ihave prepared a planning document that details our audit strategy and was hoping that you could point me in the direction of a template or example of a planning/ strategy document,so that Ican ensure that Ive structured it correctly and included all the key headings. A. We dont have a template as such, but the institutes website (www.iia.org.uk) contains a few documents that might help you. These include Developing the internal audit strategic plan and Top tips for internal auditors preparing an internal audit strategy. In addition, the Heads of internal audit benchmarking report internal audit strategic plans details some of the items that internal audit functions are including intheir strategic plans. The benchmarking report gives some links to other documents that you might also find helpful. Q. What is the current guidance on the frequency ofauditing particular functionsor processes where these are rated high, medium or low risk? I have worked to a cycle of one, two and three years respectively for these, but recently I have seen suggestions that it should betwo, three and four years. What is the institutes view? A. We dont specify or recommend a particular approach with regard to the frequency of audits, as the risk profile of each organisation is different. If theres a high-risk area in your business and the audit committee wants regularassurance, then that could be looked at annually. Alternatively, priority for assurance might be focused on strategic objectives and some of the more routine processes that are very low risk might not be looked at for many years. Holding discussions with your audit committee members and senior managers and using some form of materiality grading will give you a better indicator than anything that we could supply. Q. I am conducting an internal quality assessment in which Im benchmarking our internal audit unit against the HM Treasury internal quality assessment framework. The governance and leadership element of this asks whether the head of internal audit post has been evaluated within the past three years to ensure that its of a sufficient grade to give due weight to the HIAs influence on risk management, control and governance in the organisation. Who would bebest placed to make this evaluation? I think that it should be the audit committee, rather than senior management or the HR team, so as to ensure independence, but your advice would be appreciated. A. We think its probably a combination of what you have described. Wed agree that the audit committee would probably make the final judgment, but this is more than likely to be done with the aid of advice from the HRteam. HRmight conduct amarket assessment via contact with employment agencies, using past experience on job evaluation, for instance, and this would be sense-checked by senior managers. So it should probably be a joint effort. Q. What rights of access to information/investigation files do internal audit have incases where complaint/ disciplinary/civil proceedingsare under way? A. We would expect that information should be made available at some point, possibly once sufficient grounds have been established for a case to be answered, but we doubt that it would be the whole file. Because this would normally be undertaken in conjunction with the HR and legal teams, wed suggest that they would be the best people to advise you. The institute does not have any guidanceon this and the only thing that we could find on the internet was a document from the Information Commissioners Office on information heldin complaint files, although this applies onlyto public authorities (bit.ly/ ICOcomplaintAccess).

32

You do have to retain the information supporting your opinions and conclusions

Q. I am looking at the length of time it takes us to produce our audit reports. Im trying to find out how long other organisations give themselves to file draft reports after finishing the fieldwork and then how long they aim to give management to respond. Do you have any benchmarking data on the time that firms tend to allow themselves for such things?

{
that audit evidence should beretained,especially confidential data reports payroll, for example? A. The institutes standards tellus what to do when it comes to documenting information. Performance Standard 2330 states: Internal auditors must document relevant information to support the conclusions and engagement results. This is expanded in Performance Standard 2330.A2, which states: The chief audit executive must develop retention requirements for engagement records, regardless of the medium in which each record is stored. These retention requirements must be consistent with the organisations guidelines and any pertinent regulatory or other requirements. This means that you do haveto retain the information supporting your opinions and conclusions. With modern technology, electronic storage and document scanning it is possible to keep records indefinitely and we think that some internal audit functions aredoingthat. There is a practice advisory (2330.A2.1) on the subject, but it doesnt say much other than that there should be a policy and a procedure and the guidancewe have issued says much the same thing. The basic problem is that theres no requirement or standard length of time for internal audit documentation, so people generally use six to 12 years, based on financial and HMRCrequirements. We suggest that you have alook at a guide to Internal auditrecords management thats available on the Treasurys website (bit.ly/ TreasuryRecordMgt). The relevant section is entitled Retention and disposal on page 15, while annex A on page23 provides a retention schedule that might be helpful. Q. Could you tell me whether there is any information or guidance in existence on sampling ie, devising a framework or policy concerning sample sizes to test in different scenarios? Isthere anything out there? A. There is no document in the International Professional Practices Framework on the subject, but IIA Global offers a book entitled Sampling: A Guide for Internal Auditors if you want to buy something (bit.ly/ IIAglobalBookSampling). Alternatively, here are a couple of free resources on thesubject: l A practical guide to sampling from the National Audit Office: bit.ly/NAOsamplingGuide. l An article on attribute sampling on the IIA Global website: bit.ly/ IIAglobalAttribute SamplingPlans. Got a question? Contact Chris Baker on the IIA technical helpline on0845 883 4739 or email [email protected]

33

We dont specify or recommend a particular approach with regard to the frequency of audits, as the risk profile of each organisation is different
A. This is something we look atas part of our external qualityassessments, but Im afraid thatwe dont hold any comparative statistics. The fastest turnaround weve seen for both is a week and probably the longest is a month. You have to take account of the type of audit, though. For simple routine checks (compliance or process reviews) a week is fine, but for complex reviews (management of priority risks and consultancy type reviews with sensitive issues) its reasonable to allow more time. While setting targets on thisis a good thing, you have tojudge each case separately. This is why there are no set periods in the standards or practice advisories. Q. Is there any guidance concerning the length of time

Looking for more? GO online

Visit www.auditandrisk.org.uk for more internal audit news and a range of resources to help you do your job.

IIA UPDATE
IIA website gets upgrade
The institute is updating its website. The new resource, at www.iia.org.uk, willgive members improved online services including better search facilities, navigation and online membership renewals. As this issue of Audit & Risk goes to press, the site is being tested and the finishing touches added. Members will be notified by email when the site is live and they will be invited to create a new online password so they can access member-only content.

Three new employers accredited for CPD

Three organisations have recently become accredited with the IIA. Business adviser and accountancy firm Scott-Moncrieff, Falkirk Council and the Skills Funding Agency have all been accredited, demonstrating their commitment to the professional development of internal audit staff. Benefits to employers of accreditation include recognition of their commitment to staff and best practice, as well as independent assessment of their appraisal and performance processes. Employees gain assurance that their CPD activity meets IIA requirements and automatic exemption from the institutes CPD monitoring programme. Scott-Moncrieff is a leading adviser to the charity and not-for-profit sector in Scotland and the only Scottish firm to have received a grade-A rating from Audit Scotland for its work with local authorities, NHS boards, central government agencies and further education colleges every year for almost a decade.The company employs 21 people in its public-sector and internal audit team, of whom six are specialist internal auditors. Scott-Moncrieff was previously accredited with the ACCA, Cipfa, ICAS and AAT. Helen Berry, a senior manager at the firm, said that the decision to apply for IIA accreditation was made so that internal auditors would be afforded the same opportunities as members of the other professional bodies. We take people on to train every year and its good to be able to offer professional accreditation as well as training and support, she explained. Its also good for us to be able to tell our clients that were accredited because it offers them further reassurance about our professionalism and shows that we are committed to training and maintaining standards. The main benefit for IIA members in Berrys team is that it makes it simpler for them to maintain their CPD records because the firm records all staff training centrally. We see IIA membership as evidence that people have skills that can really add value to our clients and it is therefore worth investing in, she said. Many of our clients are in the public sector and there is more appreciation now of how internal audit can help them to improve efficiency and reduce costs without cutting services. Its now more about using limited resources more efficiently than just about compliance. Falkirk Council had similar reasons for seeking accreditation. Gordon OConnor, internal audit manager at the council, explained why, when he heard about the scheme last year, he was keen to apply. We have a good personal development scheme in place and our finance department is IIP and Cipfa CPD accredited, he said. Weare committed to ongoing development in the internal audit team and I thought it would be nice to have that commitment recognised by our professional body. The advantages for OConnor were that accreditation enables him to show the audit committee, council management and external auditors that the internal audit function takes its development seriously. It also gives me comfort that well be in a position to demonstrate that we meet the requirements of the new public-sector internal audit standards, particularly sections 1210 on proficiency and 1230 on continuing professional development, he said.

34

Time to renew

Last, but not least, it moves the emphasis away from being about attending courses and accumulating CPD hours. At a time when local authorities finances are stretched and training budgets are under increased pressure, we need to be more creative about how staff undertake training and development, OConnor said. Knowing that we have achieved the CPD accreditation gives us the flexibility to explore alternative approaches, particularly learning from peers

through, for example, the Scottish local authorities chief internal auditors group and events such as the Scottish conference. Both Berry and OConnor said that the application process was straightforward andnot time-consuming. But it didrequire clear evidence of the organisations commitment to, and practical arrangements for, developing internal audit staff. For full details of the IIA accreditation scheme, visit www.iia.org.uk

Your membership of the Chartered Institute of Internal Auditors demonstrates your commitment to the profession and gives you unlimited access to extensive internal audit resources. By renewing you will secure your place in the internal audit community and ensure that you are best prepared for todays internal audit challenges. Remember that, if you hold an IIA designation (CMIIA, PIIA, IACert, QiCA, CFIIA or FIIA) and wish to continue using it, you must maintain your membership. Renewal notices will be sent to members in the next couple of weeks. Now is a good time to ensure that the IIA has the correct contact details for you: log on to www.iia.org.uk and click on My contact details to update. If you do not receive your renewal, please contact the membership team on [email protected] or 0207498 0101. Please note that members through an employers group scheme agreement will not receive a renewal notice. Subscription rates from 1April 2013 to 31 March 2014 are set out below and members can pay online.
2013-14 Fellow & CMIIA Voting Affiliate Student Retired 223 212 169 111 50

35

Events
For further information or to book, click the Training and events tab at www.iia.org.uk, email [email protected] or call 020 7498 0101. IIA regional events and special-interest groups should be booked directly with the organiser using the contact details provided.

IIA training courses & events

March
12-13
36
IIA award in the effective delivery of audit and assurance York

networking event EDINBURGH

16-17

21-22 25

Contracts, procurement and fraud (new) LONDON Successful strategies for audit managers a master class (new) LONDON

IIA award in corporate governance and riskmanagement YORK

25

Data security risks for internal audit LONDON

17

25-26 25-26 30

12-15 14

Introduction to information systems auditing (updated) London

IIA South West: information security and cyber crime thelatest threats to yourorganisation EXETER

Process thinking for auditors LONDON

26-27

Auditing outsourced contracts LONDON

IIA North West: risks to organisations especially publicsector MANCHESTER

Heads of internal audit induction master class LONDON

17-18 17-19 18

Techniques for effective testing london

14-15 15 15

April
9-10
IIA/Cipfa award in governance and risk management (publicsector) LONDON

Auditing the treasury function a practitioners guide LONDON

IIA award in interpersonal skillsfor audit and assurance YORK

Advanced information systemsauditing London

30

IIA Scotland: audit reports withimpact ABERDEEN

11

Ultimate persuasion techniques LONDON

IIA North West: professionalandstudent development, including annual general meeting MANCHESTER

IIA Wales: meeting quality standards in internal audit new requirements update CARDIFF

Lean auditing delivering addedvalue from audit in anefficient way LONDON

24 24

11-12 11-12

IIA Ireland annual conference CO KILDARE

IIA Scotland: IT for auditpractitioners EDINBURGH

Post your event

20

IIA South West: auditing change how do you give effective assurance over major projects? CONGRESBURY

IIA/Cipfa award in audit and assurance in a changing environment (public sector) LONDON

The internal auditors guide tostrategic thinking LONDON

IIA regions and specialinterest groups may include details of their upcoming events by contacting [email protected]

24-25

Please state the event title,date, venue and contact details.

21

16

IIA Scotland: members

Getting to grips with risk london

IIA award in the internal auditplanning and assuranceframework YORK

The deadline for the May/June issue of Audit & Risk is 15 March.

In-house Training

As the largest supplier of internal audit training, the IIA is committed to the ongoing development of internal auditors. Our in-house training service provides you with a flexible and cost effective approach to learning where we bring our experts to you.
The benefits:
s s s First class training Cost effective Flexibility

The package:
s s s Standard course Any course direct from the training programme with very few adaptations to format and content. Tailored course Any course from the training programme where the course content, length or main focus is tailored to suit specific requirements. Bespoke The Institute specialises in bespoke training which is specifically developed for your organisation.

For further information, please visit our website or contact Kati Fiebig on 020 7819 1921

Moving up

Extreme internal auditing

Linda Sloan PIIA was awarded an MBE in the newyear honours for services to governance infragile states. So what does her job entail?
An internal auditor in the civil service, LindaSloan lives in East Kilbride with her husband and two children. She has worked for the government for 26 years. Sofar, so ordinary. But Sloans job is not your average internal audit role. Not only does it take her toplaces far removed from comfortable Scottish suburbia; it can also require her to wear body armour. Some meetings are even held with an armed guard outside the door. In the past 18 months Sloan, a senior internal auditor at the Department for International Development (DFID), has conducted audits in troubled countries including Burma, Sierra Leone, Pakistan, Zimbabwe and Afghanistan. It was this last assignment, completed in particularly difficult circumstances, that helped to earn her an MBE in 2013s new year honours for services to governance in fragile states. This job would not suit everyone, of course. Sloans second trip to Afghanistan took place just after the assassination of the former president, Burhanuddin Rabbani, inSeptember 2011 and the situation was tense. She and her team had to be accompanied by armed guards and, at one point, had to be ready to evacuate in case their compound came under attack. But Sloan says that its this type of difficulty that makes her job such a grand adventure. We all go for special training before we are sent to a hostile environment and, as long as we do what were told on theground, we should be OK, she says. You get addicted to the adrenaline, because you never know what youre going into. Itslike a new job every couple of months The Afghan programme is passing on the lessons learned to many other programmes around the world. This is another reason why Sloan finds her job so rewarding. My favourite internal audit placehas been Burma, she says. The team there is great and you just know theyre going to make it work. Ialso liked Zimbabwe because when I first went there there was no food in the shops and you needed to take shoeboxes of cash just to buy dinner. Now its totally different and you can see how peoples lives have been transformed. Sloan went into internal audit from a finance role. IIA training really helped me, she says. When I went to my first course it was like someone had opened the curtains. Igot a whole new view of the world. Learning to be an internal auditor is learning a life skill. Onceyoure trained to do it, it affects your whole world view of how things work. The MBE is not only gratifying for Sloan, who feels that her whole team has helped toearn the honour; it is also welcomed by MarkLowcock, permanent secretary at the DFID. He says that she has made a real difference in some of the most difficult places that the DFID works in and that this is also a tribute to the wider achievements of the departments internal auditors. Our internal audit team provides an ongoing assessment of the DFIDs risk performance, helping the board to identify and plan mitigation strategies, Lowcock says. Linda has done a great job on all this over many years and I am really thrilled that ithas been so publicly recognised. A longer version of this story appears on www.auditandrisk.org.uk

38

andthe pleasure you feel when it goes well is one of the best natural highs you can get.

Have flak jacket, will travel

Sloan usually goes overseas five or six timesa year to visit sites running DFID programmes and interview the staff to ensure that everyone there understands the control environment and procedures. We do follow the money as well, but our main role is to ensure that the programme team can follow it and track how its being spent, she explains. Afghanistan was a difficult audit because of the limitations of the operating environment. We had to comeup with practical recommendations on how to improve monitoring and assurance when dealing with a limited supply of partners. Wehelped the office there to improve its understanding of how our controls and processes could be applied in this most extreme environment.

IA TB Half page ad Jan

4/12/12

15:21

Page 1

Rigorous, Insightful, Objective, Expert, Efficient

Thats what you want to be as internal auditors. Its what your board and management expect you to be. Your annual effectiveness self-assessment needs to be just the same. And Thinking Board our web-based self-assessment service gives you this and more. Thinking Board draws on Independent Audits expertise in conducting external reviews of internal audit. Its easy to use, helping you gather feedback from a wide range of people across the organisation. Its imaginative questions and question design tells you more than youd expect. And clever automated reports allow easy analysis and ready insight. If youd like to find out more about Thinking Board or to arrange a demonstration, please contact:
[email protected] +44(0)20 7220 6584 [email protected] +44(0)20 7220 6545
A service from

Independent Audit Limited, 4 Bury Street, London EC3A 5AW

Facilitators wanted
The Chartered Institute is currently recruiting workshop facilitators to support students studying the following modules: L L L M1 Strategic management M2 Financial Management P4 Information systems auditing

We are looking for enthusiastic and experienced facilitators to help our students achieve their goals.
To apply, please forward a concise CV to [email protected] or phone 020 7819 1939 for more information.

2330_Tutors Wanted_HP_4press.indd 1

17/01/2013 17:34

Student noticeboard

Student noticeboard
Essential information for exam candidates. Visit the Student information centre at www.iia.org.uk for updates.
available in the Students section of www.iia.org.uk. remind students to read these instructions before the exams. Further information about exam venues appears on the Students page of the website.

Policy on special arrangements

Exam arrangements can take account of students special requirements if requests are submitted before the exam entryapplication. Submissions, which must made using the application form for special arrangements, must include: l Detailed information about the circumstances surrounding the special requirements. l The required amendments to the exam arrangements. l Independent evidence of the condition/circumstance on which the application is based. Documentary evidence shouldusually be a doctors letter. This must confirm that the candidate suffers from a particular condition, give specific details of the likely length of time for which the candidate will need special arrangements and confirm the extra time required. Students who require special arrangements should review thelatest version of the policy, which can be found at www.iia.org.uk under Policies in the Students section.

Authority-to-sit correspondence
Correspondence will be sent on3 May to students registeredto sit exams in June. Candidatesmust take a copy ofthis to the exam venue and present it on entry. Photographic identification willalso need to be presented. Ifyou have not received your correspondence by 10 May, email [email protected] or call AnetaZieba on 020 7819 1928. Pre-exam instructions will be available in the Students section of www.iia.org.uk from 3May. The correspondence will

Submission of professional experience journals (PEJs)

Members who have completed the theory modules of the IIA Diploma or IIA Advanced Diploma should submit their PEJs as soon as possible. Thesewill be assessed within four weeks of submission. The IIA prefers students to submit PEJs, and the endorsements from those who sign off their experience, electronically. This will save time and money on processing thesubmissions. Further information, including the latest versions of PEJs, can be found at www.iia.org.uk.

Case study release for the June exams

Candidates can access the casestudy pre-release material on 7May. Materials for the IIADiploma accelerated route and the IIA Advanced Diploma will be published on the Students page of the website. Students will be emailed a reminder on 7 May. Ensure that your contact details are up to date by visiting Myprofile on the Members page at www.iia.org.uk.

40

June 2013 exams

Exams will be held from Tuesday 4 June to Friday 7 June. Module IIA Diploma P1 The Internal Audit Environment P2 Financial Risks and Controls P3 Internal Audit Practice P4 Information Systems Auditing P5 Corporate Governance and Risk Management P7 Internal Audit Practice Case Study IIA Advanced Diploma M1 Strategic Management M2 Financial Management M3 Risk Assurance and Audit Management M4 Advanced Internal Auditing Case Study IIA IT Auditing Certificate A1 IT Auditing Certificate Multiple-Choice Questions Tuesday 4 9.30am to 11.30am Tuesday 4 Wednesday 5 Thursday 6 Friday 7 2pm to 5.10pm 2pm to 5.10pm 2pm to 5.10pm 2pm to 5.10pm Tuesday 4 Wednesday 5 Wednesday 5 Thursday 6 Friday 7 Friday 7 9.30am to 12.40pm 2pm to 5.10pm 9.30am to 12.40pm 9.30am to 12.40pm 9.30am to 12.40pm 2pm to 5.10pm June 2013 Time

Release of the pastpaper packs and the chief examiners reports

The past paper packs and chiefexaminers reports for the November 2012 exams are

your next big move in audit

LiCenSee auditor enHanCe and enSure ProCeSS
bracknell, berkshire, competitive + benefits
Avis Budget Group is looking for a Licensee Auditor to join their expanding Internal Audit Department in EMEA. Working across the licensee network, you will gain a detailed understanding of the licensees key processes, systems and records and conduct audits to ensure licensees are properly reporting revenues and operating in accordance with their agreements. This is a highly commercial role requiring sound knowledge of current auditing techniques, the ability to interpret contracts and excellent interpersonal and influencing skills. An interesting role with the opportunity of up to 50% international travel. ref: 1810201 to discuss further, please contact Paul Clutton at [email protected] or call 0118 358 9240

internaL audit manager emea & ruSSia drive reSuLtS tHrougH PartnerSHiP
London, middlesex, competitive + benefits
Following growth across emerging markets, Armstrong have an exciting opportunity for an Internal Audit Manager to establish a dedicated EMEA corporate audit function for their international business. As well as managing key relationships across the region, you will be responsible for coordinating the execution of complex operational, financial and compliance internal audits across all areas of the business. You will work independently in this autonomous role, reporting to the Director of Internal Audit & Controls in the US. ref: 1822428 to discuss further, please contact Sean moran at [email protected] or call 01189 591 751

audit Senior deLiver aSSuranCe

doncaster, up to 30,000 + benefits
Direct Group combines the latest technology and great customer service to provide insurance solutions to some of the UKs best known insurance and retail brands. You will be responsible for audit activity and compliance monitoring in line with delivery of the Groups annual assurance plan. As a part qualified or qualified IIA, ACA or ACCA auditor you will have a proven track record in internal audit and process review and be looking for an organisation where you can really make a difference. ref: 1835937 to discuss further, please contact tony Stevens at [email protected] or call 0114 2753 259

Senior audit manager demonStrate exPerienCe

London, c.100,000 + significant benefits package
A great opportunity has arisen to join the London team of a leading global financial services organisation. You will play a key role within a global audit function and manage a team of specialist internal auditors. You will lead a portfolio of audits specifically in financial and regulatory risk. As a key appointment within the business you will need to demonstrate senior-level experience within a similar financial services audit environment, as well as have a strong career track record and relevant professional qualifications. ref: 1836731 to discuss further, please contact donna bowden at [email protected] or call 020 3465 0110

these are just a selection of opportunities we have to offer, please contact your local expert on 0800 716 026 or visit hays.co.uk/auditandrisk

hays.co.uk/auditandrisk

global brand boutique offering

Randstad Financial & Professional, formerly Martin Ward Anderson, now has a specialist corporate governance division covering: internal audit internal controls risk management IT audit SOX

our candidates Our network includes IIA members, newly qualied chartered accountants, multilingual and high-level internal audit directors. services available to you We also offer industry information for both clients and candidates: recruitment reviews & market insights global interviewing facilities interview advice CV writing

our approach Each client is unique so we tailor our approach to each role. We have experience in providing a number of recruitment solutions including: headhunting professional referrals retained campaigns multi vacancy campaigns contingent recruitment international campaigns

get in touch Whether seeking your next role, or hiring for a niche skill set please contact our corporate governance experts, quoting reference IIA. T: +44 (0) 207 786 6563 E: [email protected] W: www.randstadfp.com

Business Adviser Wanted !

Could you help oversee the business and financial activities of the Institute?
If so, here is your opportunity. Volunteer for the Institutes Business & Finance Committee and join fellow voting members who consider and advise on the annual budget, member subscription rates, new trading initiatives and other significant matters with financial impact. The Business & Finance Committee is a standing committee of the Council of the Institute and comprises three Directors of Council and three voting members. Committee members meet at least four times a year and should be able to provide practical advice to senior management, engage in debate and work in a team.

Closing Date 05 April 2013

To register your interest please send your CV to [email protected] or telephone 020 7819 1913.

corporate governance recruitment

London & City Banking Auditor London 6080,000+Bens Regions Lead Auditor Cheshire To50,000+Bens
Our client is a high profile manufacturing group with business interests across the UK and Europe. They are growing strongly and as a result they are seeking an additional internal auditor to be based at their corporate office. Reporting to the Head of Audit you will be accounting or audit qualified, be a self starter, comfortable interacting with senior management across the business, and have the ability to challenge established practices or policies.

IT Audit Associate IT Audit London To55,000+Bens

Working for this City based investment management group you will form part of a small IT audit function and will report directly to the Head of IT Audit. You will be involved in the planning, co-ordination and delivery of IT audit reviews across the business gaining exposure to a range of platforms and technologies. The role will provide access to senior level stakeholders in IT and operational areas and provides excellent career development opportunities.

Audit Risk Compliance Security Legal Treasury

London Edinburgh New York Dubai Hong Kong Singapore

This well known international bank, one of the worlds largest, is seeking an internal auditor with experience of auditing at least two of the following: Corporate Banking, Lending (including Structured Lending), Corporate Finance and Treasury. Your remit will cover all EMEAs activities with travel limited to about 15%. The excellent working environment and good work/life balance results in this team having one of the lowest staff turnover rates in banking audit.

Internal Auditor London To65,000+Bens

An innovative insurer specialising in complex risks is seeking to expand their audit department. You will work as part of a team and have the opportunity to lead reviews. The entrepreneurial culture of the group will suit a confident individual who can challenge in a credible way. You should be professionally qualified with internal or external audit experience gained within financial services and ideally the insurance industry.

Senior Internal Auditor Surrey To70,000+Bens

This specialist life and pensions provider requires an additional auditor to allow their highly regarded internal audit function to keep pace with the fast growing business. In addition to audit reviews you will engage and encourage senior management to further embed risk management processes. There is no travel involved in the role. You should be ambitious, professionally qualified with audit experience gained in the insurance sector.

Infrastructure Auditor London To80,000+Bens

An opportunity has arisen for an experienced IT professional with good working knowledge of operating systems, database management systems or data network components to join the internal audit division of this well known financial institution. Your experience can have been gained from an audit or non audit perspective provided you understand the risks associated with the systems and how you would mitigate against these risks.

Audit Senior Asset Management London 75,000+Bens

Working as part of a mid sized team you will manage audit projects for this successful financial services group. You will be responsible for development of more junior internal auditors and will build relationships with business managers as well as providing key input to the development of the annual audit plan. You must be professionally qualified with experience of auditing within asset management. Career development prospects are excellent.

Senior Internal Auditor North Yorkshire To40,000+Bens

This well respected financial services group is expanding their internal audit team. This is a potentially exciting opportunity for a senior internal auditor to plan and deliver internal audit reviews, identifying risks and relevant controls across a range of business functions. You will be professionally qualified, have well developed interpersonal skills and ideally have experience within the financial services sector.

Senior IT Audit Manager London c.100,000 Package

One of the UKs largest retail banking groups is seeking a Senior IT Audit Manager. You will manage a team auditing technology infrastructure and business applications within their finance and treasury functions. You will have a demonstrable record in managing staff and senior level relationships and delivering complex engagements within multi layered IT environments. Experience auditing finance and treasury functions is essential.

Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW

Audit Manager London 6575,000+Bens

This UK based bank offers private banking, corporate banking and treasury. They are seeking an Audit Manager to complete assignments across all these areas. Working within a relatively flat structure you will be given the autonomy to manage audit reviews from start to finish, including liaison with senior stakeholders in the business. There is a mature working environment and applicants should be qualified with solid banking internal audit experience. For further details of positions in London/City contact Alexia Demetriou 020 7936 2601 [email protected]

Internal Auditor Manchester To35,000+Bens

Our client is an award winning and innovative finance solutions provider. Joining their Manchester based team you will take a risk based approach to auditing financial and operational procedures. Your responsibilities will include assisting the Audit Manager in delivering the annual risk based plan, preparing high quality reports for key business stakeholders and following up on all audit actions raised to ensure adequate resolution. For further details of positions in the Regions contact David Jarrold 020 7936 2601 [email protected]

IT Auditor Yorkshire To40,000+Bens

This growing banking group is seeking an IT auditor and this represents an excellent entry point to their well established group IT audit team. To meet their requirements you will need a relevant professional qualification e.g. CISA, CISSP or CISM, be able to demonstrate experience of auditing complex IT systems and have the ability to develop effective working relationships with internal stakeholders of all levels. Excellent career opportunities. For further details of positions in IT Audit contact Daniel Flynn 020 7936 2601 [email protected]

020 7936 2601

Barclay Simpson Scotland 910 St Andrew Square Edinburgh EH2 2AF

0131 209 7850

[email protected] www.barclaysimpson.com

Scotland Senior Internal Auditor Edinburgh 40,000+Bens

Working within this rapidly expanding consultancy, your role will be to perform internal audit reviews across clients within the financial and public sectors. You should be comfortable managing relationships with a variety of senior stakeholders and will be required to maximise revenue opportunities. You should possess strong internal audit and risk management experience and have well developed commercial and interpersonal skills.

International Senior Auditor Frankfurt To 75,000+Bens

The Frankfurt based internal audit team of this international bank reviews its German corporate and private banking activities. They are seeking an experienced bank auditor who can plan and lead audit assignments, liaise closely with senior management and recommend developments in controls. You should be fluent in German and have the experience to deputise for the Head of Audit when required.

Nationwide Interim Opportunities

South-Coast London Central London Edinburgh London Central London Central London London London Yorkshire Central London IT Audit Manager IT Auditor Business Auditor Senior Auditor Business Controls Audit Manager Internal Auditor IT Auditor Senior Auditor IT Auditor Senior Auditor Commerce Asset Management Investment Banking Retail Banking Corporate Banking Private Banking Lloyds Syndicate Oil & Gas Capital Markets Commerce Insurance to 60,000 pro-rata to 90,000 pro-rata 450 per day 400 per day 450 per day 70,000 pro-rata 50,000 pro-rata 500 per day 70,000 pro-rata 375 per day 400 per day

Senior IT Audit Manager Edinburgh Excellent

This successful banking group is seeking a Senior IT Audit Manager. The role will involve planning and undertaking IT audit work across the HR, treasury and finance business units. You will provide leadership to junior members of the audit team and also a point of contact for risk owners. You should be CISA or QICA qualified, have excellent communication and interpersonal skills and have demonstrable experience in a senior IT audit role.

Internal Audit Director Amsterdam Competitive package

This international manufacturing group is seeking an Internal Audit Director. You will be responsible for audit strategy and the formulation and delivery of the audit plan. Key to the role will be the development of key executive management relationships and enhancing the role and recognition of internal audit within the group. You must have extensive internal audit management experience and fluency in English and a second European language is required.

Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte [email protected]

www.barclaysimpson.com/interimsolutions

Senior Consultant Glasgow 34,000+Bens

Our client is a well known consultancy providing co and outsourced audit and risk services to clients throughout Scotland. Working across a range of industry sectors you will be responsible for planning and delivering audit and risk work, managing client relationships and responding to client tender requests. In return for delivering a quality service this consultancy is offering real prospects for future career development and progression. For further details of positions in Scotland contact Liam Hughes 0131 209 7850 [email protected]

Senior Internal Auditor New York c.$90,000+Bens

Our client is a successful multinational media and digital marketing communications group with operations throughout America. You will be required to plan, lead and manage US audit engagements and make recommendations that mitigate key risks. Gaining extensive senior management exposure, this role offers excellent long term potential inside and outside of internal audit. Applicants must be eligible to work in the US. For further details of International positions contact Marie Marchi 020 7936 2601 [email protected]

Market Report 2013

Up to date overview of the economy and its impact on corporate governance Sector analysis of the demand for internal auditors Review of salaries Outlook for the future
Download your free copy at: www.barclaysimpson.com

Visit

www.barclaysimpson.com
to access a vast range of free online resources
Search hundreds of audit vacancies Find your current market value Information on where best to live and work Focus on Computer Audit Latest information on qualifications
Barclay Simpson has been awarded the Diversity Assured Recruiter accreditation under the RECs Diversity Initiative.

For more details visit: www.barclaysimpson.com/equalopps

corporate governance recruitment

IT Audit Manager
Abu Dhabi c.$125,000 Tax Free+Bonus+Comprehensive ex-pat package
Our client, a leading UAE based international leisure group, is seeking an IT Audit Manager to join their growing Abu Dhabi based team. This is one of the strongest branded companies in the Middle East and their operations are spreading globally. The role is an immediate requirement and covers a wide variety of subsidiary companies.
Reporting to the Head of IT Audit, and frequently deputising, your responsibilities will include:
I I

Developing and delivering the integrated internal audit plan. Managing and reviewing the IT testing on core applications within integrated audits and assisting on IT specific audits (covering infrastructure and processes). Providing audit assurance reviews across the regions and advice to the business. Coaching and training the IT Audit team and identifying cost saving opportunities. Development of the audit function using technology to automate audit processes.

I I I

You will hold a relevant IT audit qualification and have practical experience in data analytics and delivering a range of IT audits in a complex networking and systems environment. Strong interpersonal skills are absolutely essential to operate in this cutting edge group.

For more information and details on how to apply please contact Joff Cowling-Bryant on [email protected]

Barclay Simpson Bridewell Gate 9 Bridewell Place London EC4V 6AW [email protected] www.barclaysimpson.com

020 7936 2601

www.barclaysimpson.com