audit.pdf
TRANSCRIPT
T h e m a g a z i n e o f t h e C h a r t e r e d I n s t i t u t e o f I n t e r n a l A u d i t o r s
I s s u e 2 6 N o v e m b e r / D e c e m b e r 2 0 1 5
Fresh fields: why Madina Bazarova moved to Malaysia to audit agricultural development projects
Plus full
Conference
2015
review
Plus: IA and the company secretary; building an audit team from scratch
® BHBi CELEBRATING TEN YEARS I
N BU
SINE
SS
10
BHBi INTERNAL AUDIT CENTRE O
F EXC
ELLE
NCE
10
39752 BHBi Internal Auditing Ad 255x205.indd 1 19/08/2015 17:21
Contents
Front3 the institute view From the chief executive, Ian Peters.
5 World view From Richard F Chambers, IIA Global president and CEO.
7 View from the top From Karen Bassett, chief internal auditor at Leeds Building Society.
8 Update The latest news affecting the profession.
10 Conference A round-up of the institute’s recent event.
12 reportage The Chartered IIA’s latest governance and risk report.
FeatUres14 Global challenges An interview with Madina Bazarova, associate director of the internal audit unit Asia at CGIAR.
18 sowing a seed Meet four people who set up an internal audit team from scratch.
22 Value pool How United Utilities benefited from its recent Chartered IIA EQA.
26 Common cause Why the company secretary could be a useful ally for heads of internal audit.
30 out of sight… Outsourcing is on the rise – but risks remain.
MeMber Matters33 You asked us Your questions answered.
34 Institute update Institute news and membership matters.
36 tools for the job What is risk-based internal auditing?
38 student noticeboard Essential information for exam candidates.
41 Courses Key dates for your diary.
42 events What’s on across the UK and beyond.
18
14
We post more news and articles online every week. To access these, visit www.auditandrisk.org.uk
Published for the Chartered Institute of Internal Auditors
by Caspian Media Ltd, Unit G4, Harbour Yard, Chelsea
Harbour, London SW10 0XD020 7045 7500
Editors Keith Ryan
[email protected] 020 7045 7543
Brendan [email protected]
020 7045 7572
Chartered Institute of Internal Auditors
[email protected] 020 7498 0101
Subscriptions
[email protected] 020 7498 0101
AdvertisingIan Mehrer
[email protected] 020 7045 7596
Creative directorNick Dixon
Opinions expressed by contributors are their own.
Reproduction in whole or in part without written permission
is strictly prohibited.
ISSN 2048-8408.
22T h e m a g a z i n e o f t h e C h a r t e r e d I n s t i t u t e o f I n t e r n a l A u d i t o r s
I s s u e 2 6 N o v e m b e r / D e c e m b e r 2 0 1 5
Fresh fields: why Madina Bazarova moved to Malaysia to audit agricultural development projects
Plus full
Conference
2015
review
Plus: IA and the company secretary; building an audit team from scratch
TeamMate®
Ecosystem for Assurance
Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946
To achieve new heights, finding the right balance of audit tools is essential. Only TeamMate offers an integrated set of solutions that include the industry’s leading audit management system, an innovative controls management system and powerful data analytics.
Audit
ControlsAnalytics
TeamMate AM
Learn more at: TeamMateSolutions.com
TeamMate CM TeamMate Analytics
TeamMate Ecosystem advert UK.indd 1 03/02/2015 11:04:42
View from the institute
Outsourcing auditing contracts“At the heart of outsourcing lies the formal relationship between the commissioning organisation and the supplier. Internal audit can provide assurance at each stage of the procurement process.”
Ian Peters, chief executive of the Chartered IIA.
Ever since Adam Smith observed the “invisible hand” at work, companies have tried to exploit every competitive advantage available to boost profits and increase shareholder value. In the early 20th century this impulse drove firms to house all aspects of production and management under one roof. These massive integrated companies, symbolised by multinational oil firms such as BP, eventually became too large and unwieldy to compete in the global marketplace. Outsourcing was born. Our new report looks at what role internal audit can play in providing assurance on outsourced services.
Today it is not only private companies that seek to outsource services to other firms. The UK government doubled the amount it spent on outsourced services between 2010 and 2014 to around £90bn. However, commissioning organisations have found that, although a range of services can be outsourced, from production to IT support, some risks – especially to their reputations – still remain. You can’t completely outsource risk.
There are numerous examples of organisations that have not adequately managed risk to their reputation inherent in their agreements with suppliers. The UK government has suffered reputational damage from problems with suppliers, for example with G4S during the 2012 Olympics and with Atos for the Department for Work and Pensions’ work capability assessments.
The slew of companies that have been criticised for employing suppliers with poor worker conditions includes the world’s largest company (by market capitalisation), Apple.
Firms can be engaged in complex supply networks that span continents. But at the heart of any outsourcing activity lies the formal relationship between the commissioning organisation and the supplier. Internal audit can provide an advisory service and independent assurance at each stage of the procurement process. Internal audit’s role will depend on the perceived risk it presents to the organisation, the board’s risk appetite and the cost and complexity of the outsourced service.
Internal audit should be involved as early as possible in an organisation’s procurement cycle. The organisation should use a recognised process to complete a feasibility study to show that there is a clear business case aligned to the strategic objectives of the organisation. Where this process is absent, internal audit can work in an advisory capacity to help establish an effective framework.
Internal audit can review the organisation’s tendering and supplier selection process, assuring the board that they have adequate and effective policies in
“Organisations have found that, although a range of services can be outsourced, some risks – especially to their reputations – still remain.”
place to choose the right supplier. So-called “right to audit” clauses ensure that evaluation and monitoring of the third-party provider can take place. As the contract
is drafted, internal audit can examine the performance management
arrangements in place and advise on whether they are appropriate. Auditors can also work
with other assurance providers such as
operational managers and compliance professionals to
ensure coordination and that duplication is avoided.
As part of our research we present case studies that show how internal audit can get involved at all stages of the procurement cycle. We spoke to private companies and government departments including the BBC, the Home Office, Crossrail and EDF Energy. Contracts will occupy more of internal auditors’ time as organisations learn the benefits of receiving independent assurance on contracts. The institute will follow developments in this area closely as auditors get to grips with auditing more complex outsourcing arrangements.• See feature on page 30.
HAVE YOUR SAY Post your comments about this article or any of the issues raised at
www.auditandrisk.org.uk
3
To learn more, visit Protiviti.com/ITSecuritySurvey.© 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
“Tone from the top” is acritical differentiator
Level of board engagement in information security risks 2015 2014
High level of engagement 28% 30%
Medium level of engagement 32% 41%
Low level of engagement 15% 20% Don’t know 25% 9%
Cybersecurity concerns and discussions abound in companies today, which are intent on addressing these issues aggressively. But are these intentions translating into effectivepolicies and actions to secure the “crown jewels” of organizations? The answers are mixed, at best, according to Protiviti’s 2015 IT Security and Privacy Survey.
Level of confidence organization can prevent anopportunistic breach caused by a company insider (1-10 scale where 10 = high level of confidence)
Companies withhigh boardengagement ininformationsecurity
7.7
Companies withouthigh boardengagement ininformationsecurity
6.1
Companies withall core informationsecuritypolicies
7.5
Companieswithout all core informationsecuritypolicies
6.1
There aren’t high levels ofconfidence in ability toprevent cyberattacks
Level of confidence organization can monitor, detect and escalate potential security incidents(1-10 scale where 10 = high level of confidence)
Companies with high boardengagement in information security
Companies without highboard engagement ininformation security8.0 6.5Acceptable use policy
Record retention/destruction policy
Data encryption policy
Written informationsecurity policy
Social media policy
A strong security foundationmust include the right core policies
Large Companies(≥ $1B)
Small Companies(< $1B)
82% 72%
80% 71%
79% 58%
72% 60%
61% 50%
Senior management’s level of awareness with regard to information security exposures(1-10 scale where 10 = high level of awareness)
Companies with high boardengagement ininformation security
Companies without highboard engagement ininformation security8.6 7.0
Management’s level of understanding of organization’s most sensitivedata and information 2015 2014 2013
Excellent understanding 29% 23% 27%
Good understanding 45% 51% 48%
Limited understanding 16% 22% 22%
Little or no understanding 3% 3% 2%
Don’t know 8% 1% 1%
Many companies lack an understandingof their “crown jewels”
The Battle Continues
Working toBridge the DataSecurity Chasm
I IA PArtner AdvertIsement
Protiviti Advert_Revised_F.indd 1 20/10/2015 16:30
View from IIA Global
For Further inFormation Richard F Chambers writes a blog
at iaonline.theiia.org/Richard-Chambers and tweets at www.twitter.com/rfchambers. His award-winning book, Lessons Learned on the Audit Trail, is available at www.theiia.org/bookstore.
Change meeting tomorrow’s challenges “Internal audit is being asked to support efforts to mitigate risks from a dizzying array of sources – and its response could affect how the profession evolves.” Richard F Chambers, president and CEO of IIA Global.
We often read about a business, government or an individual coming to a crossroads. More often than not, these are overly dramatic descriptions of some smaller crisis. However, when it comes to internal audit, we may truly be at such a junction.
The internal audit profession is in a period of great change. Businesses operating in an increasingly dynamic environment face risks from a dizzying array of sources old and new, including cyber-threats, privacy concerns and corporate culture clashes. More than ever, internal audit is being asked to support efforts to mitigate these varied risks – and its response could affect how the profession evolves.
The growing list of pressure points poses serious challenges. It includes the familiar, such as rising stakeholder expectation; the anticipated, such as increased regulatory scrutiny; and unforeseen threats endemic to a volatile risk landscape.
As with any profession undergoing change, the challenge is to adapt quickly and efficiently based on the best information available at the time. This evolution is likely to occur at a faster pace than in the past, which magnifies the importance of having strong leadership and a clear mission.
Internal audit’s focus on understanding and responding to stakeholder needs is not new. What has changed is the portfolio of stakeholders, which has grown as internal audit’s value has become more apparent.
In addition to the traditional stakeholders of management and the board, investors and regulators are increasingly turning to internal audit to provide assurance on transparency. Each of these constituencies has evolving needs to align with risks and agendas. The challenge for internal audit is to
balance those needs, especially when they conflict.
It is vital, then, for heads of audit to have clear communications with stakeholders, including formal and informal communications channels to build rapport.
In concise terms, boards want no surprises, management wants partnering and value for money, and regulators want independence and transparency. This makes it appear to be a simple task. But meeting stakeholder expectations is rarely straightforward.
A recent Common Body of Knowledge report from the IIA Research Foundation describes the dilemma financial services auditors are facing. The report, A Global View of Financial Services Auditing: Challenges, Opportunities and the Future, highlights the difficulty of serving an expanding list of stakeholders and the corresponding scope of work. “It appears the caveat about ‘being careful what you
ask for’ has become reality for many, bringing with it both opportunities and challenges,” says the report. “CAEs are finding themselves in the middle of almost every problem imaginable.”
Limited resources are being stretched to meet stakeholder needs, and to
develop the new skill sets required for the expanded scope of work.
Added to this are the increasing responsibilities for internal audit on regulatory issues.A looming labour shortage in
the profession completes a sobering picture as we head into 2016. But it seems appropriate that we face such challenges in IIA Global’s 75th anniversary year. If we are to thrive in this landscape, we must rely on the IIA’s principles and standards.
I mentioned earlier the need for strong leadership and a clear mission. The IIA’s revised International Professional Practices Framework (IPPF) offers the guidance we need. It may be tempting to seek answers in new approaches – and I encourage practitioners to do so – but we must remain grounded in the IPPF.
Despite these growing challenges, I approach the coming year with optimism and energy. Our profession has never shied away from doing the hard work and using creativity, ingenuity and determination to meet our challenges head-on.
“The list of pressure points poses serious challenges.”
5
To find out more or to arrange a free trial visit:
www.symbiant.ukTrusted by names you know from charities to banks, government to PLC.
The Total Risk, Audit and Compliance Software solutionSymbiant is a modular solution that allows the whole workforce to collaborate on Audit, Risk and Compliance issues with prices starting at only £200 per month.Incident Reporting, Risk Registers, Action Tracking, Control Failure Simulation, Capital Adequacy and Stress Testing, Document Management, Control Self Assessment, Risk Workshops, Audit Panning, Audit Questionnaires, Working Papers, Info Graphics, Dashboards and more.
OF AWARD WINNING SOFTWARE
16
®
Prepare to be amazed
An advanced risk and auditmanagement
solution for only £200
View from the top
Further inFormation Karen Bassett is chief internal auditor
at Leeds Building Society and chair of the IIA Mutual Sector Group Committee. She was previously chief internal auditor at Northern Rock/Virgin Money and audit director at HBOS/Lloyds Banking Group.
internal auditors occasionally winced while reading some of the reports from the various investigations questioning the effectiveness of the three lines of defence and the role of internal audit. We have to be the independent challenger, the conscience of the board, judge and guardian of the control environment, the all-seeing eyes and white knights of truth, however unpalatable that might be to the business. Our integrity must be beyond doubt, otherwise we are part of the problem.
Of course we all say, so what’s new?Maintaining a strong, credible internal audit function relies on all of the business knowledge we glean from our hard-won relationships to ensure that any challenges we make are proportionate and our calls for improvement are pragmatic. We need to balance these skills, now more than ever, with sound judgment and the courage to challenge and disagree when under pressure. We need to display confidence in our understanding of the issues and in our credibility when communicating our findings.
relationships does integrity trump trust? “We know how effective business relationships can be once we establish trust and credibility. So at what point should we refuse to compromise, even if it means that a relationship suffers?”Karen Bassett, chief internal auditor, Leeds Building Society.
Internal audit puts a lot of effort and resources into being a trusted business partner and this involves nurturing relationships with stakeholders to ensure that we are “in the know”. We need to be credible and able to land issues and agree audit actions smoothly, without creating last-minute surprises. All this depends on building up trust between the audit team and business managers.
Agreeing and finalising audit reports can often involve a compromise over position or semantics. At times we need to collaborate with management to find a middle ground to establish business ownership and accountability for improvements to the control environment. The internal audit profession has come a long way over the years, establishing these relationships and developing its people to be good at stakeholder management. Personal development plans now place as much emphasis on the soft skills of influencing, communication and negotiating skills as they do on technical skills, and for good reason. We know how effective these relationships can be once we have established trust and credibility.
So at what point should we tip the balance and refuse to compromise, even if it means that this relationship suffers?
In the wake of the banking crisis and the casualties that followed, I am sure that all
At the end of the day deciding whether to challenge the business is our call and
that can put us in a lonely place. At such times, being able to depend on
the support of our peers in the profession and of independent
non-executive directors on our boards,
as well as the various Chartered IIA advisory groups and networking
events, has never been more important or more welcome. It has helped me to stand back and understand context.
The test of our skill, then, is the strength of the relationships we have built over time, after a challenging audit is over. This is the true measure of our effectiveness – we need to know that as the cycle resumes we can continue as before in a relationship built on trust with our integrity intact and the sense of a job well done.
If anyone thinks the internal audit profession is dull, invite them to step into our shoes for a while – I can honestly say I have rarely known a dull moment.
“Deciding whether to challenge the business is our call and that can put us in a lonely place.”
7
8
Big Four firm EY says that there needs to be a focus on improving risk governance rather than recruiting more people to work in compliance.
EY’s paper, called Risk Governance 2020, says that board oversight needs to be enhanced, while organisations also need to
align their culture with their risk appetite, particularly as regulators and investors are pushing for more effective corporate governance.
To achieve the vision of Risk Governance 2020, EY says organisations need to fully embed risk appetite frameworks,
strengthen risk accountability/the three lines of defence model, increase control effectiveness, enhance risk transparency, have an integrated talent and incentives approach, create stronger board oversight and have a robust risk culture. View the paper at bit.ly/1dGVjqi
Sir Adrian Cadbury, author of the Cadbury Report on corporate governance (1992), died on 3 September. He was 86. Cadbury was the grandson of George Cadbury, founder of the Cadbury factory and the model community at Bournville. He retired as chairman of the family firm in 1989 and was asked by the FRC and the Stock Exchange to chair the committee on corporate governance, which recommended clear division of responsibilities at the top of firms, the importance of high-quality non-executives and full disclosure of directors’ rewards.A new catastrophe risk model called “GDP@Risk”
developed for Lloyd’s of London, the insurance market, has found that up to US$4.56trn could be wiped off the global economy over the next ten years if the world’s biggest cities are hit by disasters ranging from market crashes to earthquakes.
The cash figure represents 1.2 per cent of the total GDP forecast to be generated by these cities in the next decade, says the research.
The index focuses on 301 of the world’s leading cities, selected by economic, business and political importance. These cities are responsible for over half of global GDP today, and an estimated two-thirds of the world’s economic output by 2025.
Globally, the index identifies three key trends. Firstly, emerging economies will account for the majority share of risk-related financial losses as a result of their accelerating economic growth.
Secondly, man-made risks such as market crashes, power outages and nuclear accidents are becoming increasingly significant, associated with almost half the total GDP at risk.
Thirdly, new or emerging threats – including cyber attacks, human pandemics, plant epidemics and solar storms – have a growing impact, and account for nearly a quarter of total GDP at risk.For more details see bit.ly/1MGwEkQ
We round up the latest business and regulatory news to affect the internal audit profession.UPDATE
AdditionAl nEws, FEAturEs And ViEws are posted online all the time. Go to www.auditandrisk.org.uk to see what’s new.
8
Obituary: Sir adrian Cadbury
Lloyd’s risk model shows cost of catastrophes
EY: organisations need better risk governance, not more
iSO Standard On Supply ChainSThe International Standards Organisation (ISO) has published a new technical specification for supply chain continuity. Called “Societal Security: Business continuity management systems – Guidelines for supply chain continuity”, the standard ISO/TS 22318:2015 provides guidance on “methods for understanding and extending the principles of BCM embodied in ISO 22301 and ISO 22313 to the management of supplier relationships”.
For more information see bit.ly/1nJpH0n
9
The institute’s code for effective internal audit in the financial services sector is having a significant impact on how internal audit is harnessed and positioned in financial services firms. This brings new challenges and opportunities for practitioners and the institute is launching a new approach to supporting members in the sector. A sector advisory panel has been created, comprising institute members working in the sector, led
by Gordon Craig, director of internal audit at 3i. The panel will help to shape and focus the institute’s policy research and technical guidance resources in the sector. Sector-specific resources have been gathered under a financial services section on the resources area of the website. The panel will also guide the content of events for the sector, including a new annual conference for financial services sector practitioners.
The first annual conference takes place on 11 November in London. Ian Peters, institute CEO, will outline the new sector strategy and present the results of a new survey on internal audit’s role in conduct risk. There are plans to include other key sectors in the sector strategy in due course. Full details of the financial services sector conference can be found at www.iia.org.uk/bankingconference
ASIS International, a body aimed at helping security professionals, has published a new standard developed in conjunction with RIMS, the US-based risk management society.
Called “Risk Assessment ANSI/ ASIS/RIMS RA.1-2015”, the standard provides guidance on how to establish a risk assessment programme and conduct individual risk assessments consistent with ISO 31000:2009 Risk management – Principles and guidelines, as well as the COSO Enterprise Risk Management framework.
It also provides guidance on how to conduct risk assessments for risk and resilience-based management system standards for the disciplines of risk, resilience, security, crisis, business continuity and recovery management.For more information visit bit.ly/1ono4eP
9
Following years of criticism that executives at big companies and financial firms escaped jail in the financial crisis, the US Department of Justice (DOJ) has issued new policies to bring individual employees to book.
The DOJ’s approach will put pressure on corporations to turn in evidence against their executives. “Corporations can only commit crimes through flesh-and-blood people,” said Sally Q. Yates, the deputy attorney general. “It’s only fair that the people who are responsible for committing those crimes be held accountable. The public needs to have confidence that there is one system of justice and it applies equally regardless of whether that crime occurs on a street corner or in a boardroom.”
The new approach means that companies cannot get credit for co-operating with the government (plus smaller fines and a civil settlement) unless they identify employees and turn over evidence against them, “regardless of their position, status or seniority”. to read the memo visit nyti.ms/1ui5CZd
DOJ set to take on executives
Institute reveals new FS sector strategy and conference
aSiS and rimS releaSe riSk aSSeSSment Standard
10
Greater expectations
T he internal audit profession is
being perceived in a very different
light these days. Audit
committees are expected to
provide the same checks and assurances as
ever, but their purview is expanding just as
new risks emerge. Ian Peters, CEO of the
Chartered IIA, told the audience at the
institute’s conference last month that internal
auditors are no longer “box tickers” helping to
improve governance with hindsight. Instead, it
is important to anticipate risks and ensure that
they are mitigated in advance.
From cyber security threats and the risks
associated with outsourcing, to auditing
corporate culture and businesses’ strategic
risk, organisations’ expectations of their
internal audit teams continue to grow.
“Internal audit is the only function that has a
view across an organisation and can provide
assurance on information from disparate
sources,” Peters told a packed auditorium. “In
addition to the strategic advisory role, we have
seen internal auditors focusing on areas that
were not on our radars until recently.”
Developing appropriate assurances for
cyber security has been one of the audit
committee’s greatest challenges in recent
years. As budgets are cut, particularly in the
public sector, there has also been an emphasis
on outsourcing, with all the risks associated
with hiring third parties. In many cases, the
two converge as companies increasingly
adopt cloud services – and this is often where a
company’s greatest vulnerabilities are found.
“It never ceases to amaze me, from all of the
organisations I speak to, just how many are
weak on this. They haven’t sorted out the
criticality of third parties. Some do reviews at
take-on, but won’t conduct any ongoing
due-diligence reviews,” said Kevin Brear, a
senior manager in business recovery services
at Grant Thornton. He advised that firms
should be fully aware of technology
developments, ensure they have the correct
blends of skill sets and people, share lessons
from breaches and information on emerging
risks, and develop practices quickly as
prevailing risks emerge.
The evolution of the internal auditor’s scope
and responsibilities was also emphasised by
Mike Wilson, partner, and Sameena Arshad,
director, internal audit risk and compliance at
KPMG. In its infancy, the role of the internal
auditor was to ensure compliance with
policies, procedures, laws and regulations. As
the profession matured, it grew to encompass
reviewing the efficacy of those policies and
controls and the adequacy of responses to
emerging risks. More recently, internal
auditors have come to enhance value rather
than simply to preserve it, they said. This has
meant offering more than core assurance, but
also contributing to business performance and
offering strategic support with a more
consultative approach.
Richard Chambers, president and CEO of
IIA Global, explained that the profession is
facing pressure from all angles, including a
shortage of emerging talent, rising
expectations from stakeholders, the challenge
of balancing assurance with other services,
increasing regulatory scrutiny and the
growing complexity of technology risks. This
means that delivering value is becoming more
challenging, particularly as the internal
auditor’s focus is being pulled in all directions
to align with evolving and emerging risks.
Encouragingly, internal auditors are keeping
abreast of this ever-changing pool of potential
threats. According to a survey carried out by IIA
Global’s Research Foundation this year, 91 per
cent conduct a risk assessment and 85 per cent
use a risk-based methodology for the plan.
However, 32 per cent assess emerging risks
only once a year and 65 per cent update their
plan no more than twice a year. Chambers
told the audience that if internal auditors are
to be fully effective they must “audit at the
speed of risk”.
Today, internal auditors are expected to
scrutinise factors that are far softer than
financial reports. Improper corporate culture
can be the undoing of a company and it is
increasingly the internal auditor’s job to
monitor this intangible yet crucial feature of
every business. Sir Gerry Grimstone, chairman
of Standard Life, said culture is far more
difficult to audit than a balance sheet.
“The challenge for internal audit is how to
do this, how to move into these softer areas –
and whether it has the skills to do so. But
I do believe the skills required to look at
risk culture need to be an extension of the
core capabilities of internal audit and, in
particular, your ability to intelligently and
robustly challenge and most importantly to
anticipate,” he said.
Last month, senior practitioners from across the country and sectors gathered for the Chartered IIA’s annual conference 2015, the largest of its kind in the UK. Delegates from up and down the country and the leading lights of internal audit, governance and risk management shared their insights into the unprecedented opportunities, changes and challenges that lie ahead. We have pulled together some of the most salient themes of this two-day event.
“The skills required to look at risk culture need to be an extension of the core capabilities of internal audit.”
11
Richard Chambers, president and CEO of IIA Global, told the audience that if internal auditors are to be fully effective they must “audit at the speed of risk”.
“ Internal audit is the only function that has a view across an organisation and can provide assurance on information from disparate sources.”Ian Peters, CEO of the Chartered IIA
“The challenge for internal audit
is how to move into these softer
areas – and whether it has
the skills to do so.”Sir Gerry Grimstone, chair of Standard Life
Andrew Fitzmaurice, chief executive at Templar Executives, speaks about need for cyber resilience in the UK.
Alistair Smith, internal audit risk and control director at EDF Energy, discusses what good risk management looks like today.
1212
REPORTAGEEach year the Chartered IIA conducts research among heads of internal audit to find out what internal auditors are really doing in their day-to-day jobs, what’s happening to their budgets and what risks are highest on the team’s radar. Here are the results of this year’s survey.
?000000.00
!!?
000000.00
!!
To whom do you report? All Public Private sector sectors sector (non-FS)Chair of the audit committee 69% 43% 72%CEO 12% 32% 2%Other 8% 11% 6%CFO 7% 10% 12%Board chair 4% 4% 7%Chair of other board committee 1% 0% 2%
Changes to public sector budgets Budget increase No change Budget decreaseLocal government 14% 39% 47%Central government 16% 58% 26%Rest of public sector 27% 50% 23%
Which of the following services in addition to risk-related roles does internal audit provide your board/board committee? (check all that apply)Conduct confidential investigations, such as fraud 84%Provide views on the performance of management in relation to controls or the adequacy of corrective actions 77%Provide an annual opinion on the adequacy of the organisation’s system of internal controls 73%Offer concrete proposals on improving internal controls 71%Conduct governance reviews 61%Act as a channel for whistleblowing 52%Manage co-sourcing of internal audit functions 49%Provide input on the evaluation of the external auditor’s performance 31%Contribute to the induction and/or CPD of board members 28%Advise the board/committee on reports or information from external parties, such as regulators 26%Monitor board/committee activities to ensure the committee’s charter responsibilities are accomplished 23%
?000000.00
!!
13
More detailed results can be found at www.iia.org.uk/govandrisk2015
Out of the list below, which are the top five areas of risk on which internal audit currently spends most time/effort – and which are the top five risks your organisation is facing?
Time/effort spent Risks facing the organisation
Operational 76% 48%Adequacy and effectiveness of risk management 61% 36%Financial reporting and control process 51% 21%Corporate governance – process and structure 48% 26%Data privacy and security 47% 43%Regulatory change 40% 49%IT projects 38% 35%Fraud 23% 16%Business continuity 22% 16%Outsourcing/supply 20% 16%
Can you meet the following without management present? All Public sector Private sector Financial servicesExternal audit 95% 96% 95% 95%CEO 92% 89% 93% 96%Chair of the audit committee 89% 87% 93% 90%Chair of the board 71% 61% 70% 75%Chair of the risk committee 50% 38% 35% 82%The regulator 46% 30% 32% 75%Other non-executives 29% 22% 25% 36%
Choose the top five competencies you and your team need to perform your work effectively now – and those you will need in five years’ time Now Five years’ time Communication skills 77% 68%Problem identification and solution skills 65% 56%Knowledge of industry, regulatory and standards changes 58% 55%Business/commercial acumen 54% 58%People management skills 44% 43%IT/ICT frameworks, tools and techniques 42% 50%Change management skills 38% 46%Conflict resolution/negotiation skills 37% 30%Ability to promote value of internal audit 35% 31%Accountancy frameworks, tools and techniques 30% 22%Organisational skills 29% 22%
?000000.00
!!
?000000.00
!!
Global challenges
14
Words: Ruth Prickett Photographer: Peter Searle
While much has been written about the increasingly global nature of many internal audit roles (and the value of transferable qualifications), few UK internal auditors have a job that is as fully international as that recently taken on by Madina Bazarova. CGIAR is a global consortium of 15 independent research centres generating agricultural research to alleviate problems such as poverty, hunger, malnutrition and environmental degradation. The organisation, which has its headquarters in the French city of Montpellier, is funded by governments around the world and the money is coordinated by the World Bank.
Bazarova’s role as associate director of CGIAR’s internal audit unit Asia, which she began in June this year, is based in Malaysia, but she is responsible for putting together a team that will audit five research centres based in Malaysia, Indonesia, Sri Lanka, the Philippines and India. Not only are these geographically scattered, but the research itself is diverse and, usually, long term.
Bazarova’s team is hosted by one of the research centres headquartered in Penang called WorldFish, which strives to harness the potential of fisheries and aquaculture to reduce hunger and poverty. In India the focus of the research is crops in semi-arid tropics, while in the Philippines it is rice and in Indonesia, forest. Each research centre has very different needs in terms of resources and faces varying risks – for example, work in the Philippines involves hiring local
people to farm large paddy fields of different types of rice, so internal audit may need to provide assurance that these people are treated according to labour laws and have adequate health and safety provisions.
Broader risks that need constant assurance and monitoring include funding, fraud and corruption, cyber crime and research outcomes. As a qualified accountant who spent many years working for Save the Children, which she joined in 1998, Bazarova is familiar with many of the financial pressures facing third-sector organisations, but there are also important differences in her current role.
“At CGIAR we have a lot of stakeholders to satisfy – from the general taxpayers and governments and traditional donors to our staff,” she says. “Volatility in funding is an issue for everyone in this sector because governments change their priorities year on year and they own the projects, but CGIAR’s work is intellectually charged: we can’t suddenly cut our spending on commodities, such as tents, in the way that Oxfam or Save the Children can. Our major expense is people and if we lay off scientists then we won’t get them back and it could jeopardise a long-term research programme.”
CGIAR cannot, of course, predict exactly what governments will choose to do with their money, although it can follow regular events such as elections that may cause a delay to payments or a change in funding policy. It is also
Madina Bazarova, associate director of the internal audit unit Asia at CGIAR ( The Consultative Group for International Agricultural Research), explains why she moved from London to Malaysia to take up this role and why soft skills are the key to performing successful internal audits worldwide.
15
Words: Ruth Prickett Photographer: Peter Searle
“Volatility in funding is an issue because governments change their priorities year on year and they own the projects.”
16
vulnerable to sudden reversals caused by emergencies and natural disasters.
“At the moment European governments are focusing on the refugee crisis, but our funding can also be disrupted by a disaster such as an earthquake or a tsunami,” she explains.
With little room for spending flexibility, the internal audit team has to focus on providing assurance that what she calls the “accounting fundamentals” are in place and are working effectively – that is, basic controls that ensure that the organisation does not hit cash flow problems that could have been anticipated.
The job also incorporates personal challenges for Bazarova. Having worked at Save the Children in a number of roles, initially in finance and then in internal audit, she decided to move because she wanted new experiences and felt that it would be good to have a change. And change is what she got. She moved from a London-based job in a huge organisation with a relatively large internal audit team, where she knew lots of the key people, to an office in Penang, where her first task was to build a new internal audit team and to pick up several months’ backlog of audits that had been neglected while the previous team, based in the Philippines, was winding down.
Fortunately, she points out, the labour market in Malaysia is excellent and there is a Malaysian Institute of Internal Auditors, so she could look for the right person with either a local or a global internal auditing qualification. She is also looking for a specialist IT auditor who can set up an IT hub in Penang to drive the consortium’s global IT audit strategy. “It’s difficult because everyone is looking for great IT auditors at the moment,” she admits, “but Penang is a good place to search because there are lots of IT companies here and we’ve seen some very good candidates.”
Recruitment is a risk for the consortium as a whole. “There is huge competition for the best scientists and, since we can’t pay them
the best salaries in the market, it’s important that we can offer them exciting opportunities to do ground-breaking work that makes a difference and enables them to publish interesting findings,” Bazarova says. One relatively new pressure from governments is assurance that scientific findings are translated into actions that make a real difference to people’s lives and this means the organisation has to focus on forging partnerships with other charities that can implement findings on the ground.
Fraud and corruption are a concern for any organisation spending public money on global projects. As Bazarova points out, cultural norms and expectations vary widely in different countries and it’s vital that CGIAR can demonstrate that it makes clear what is acceptable and unacceptable to people working at all levels across the consortium. Scientific fraud is less of a concern, she says, since prominent scientists sit on the board and on recruitment panels and review projects and findings. However, the organisation is still vulnerable to the
“normal” types of fraud and corruption faced by any multinational organisation working in places where petty pilfering is widely seen as a perk of the job and backhanders are too often “the way things are done”.
It’s important that internal audit works with strong support from the board and gets full oversight of what goes on, Bazarova says. In addition to scientists, the research centre boards also include representatives from governments and senior figures from commercial banks who bring in their private-sector expertise.
“I generally feed into the boards via the audit committee and I report to the audit committee chairs,” Bazarova explains. The audit committees meet four times a year, twice face to face and twice by conference call, since members come from across the world and from a variety of sectors. “This means that all the members have different perspectives, which really enriches the
decision-making process,” she says. To add to the complexity, each research centre is separate with its own research priorities and projects so each has its own audit committee. This means Bazarova is attending five such meetings in October and November.
“I’m part of a shared internal audit service across the consortium and the more I learn about what these organisations do the more interesting it becomes,” she says. “The issues are not just environmental and developmental, but also ethical and about intellectual property – for example, some projects involve genetically modified crops and different governments have varying debates and policies on GM.”
Changes to the consortium’s governance structure and the introduction of a number of large themed projects spanning scientific teams in different places are also adding to Bazarova’s work, creating some uncertainty about internal audit’s role and more demands for complex multinational audits.
All the consortium’s centres sign up to an open access policy for their research findings;
“The issues are not just environmental and developmental, but also ethical and about intellectual property – for example, some projects involve genetically modified crops and different governments have varying policies on GM.”
17
however, Barazova points out, this can be complicated when working with third-party projects and it’s important that all the organisations understand the legal situation and what they can and can’t publish or do.
“I’m currently going through the risk registers for each of the organisations I’m responsible for and identifying which risks have remained constant and whether there are new and emerging ones that we should be auditing,” she says. “Apart from anything else, I have to consider the risks to this audit function – we are a shared service and if we are not providing what these organisations need they can go elsewhere. This is very different from my last job. It feels far more as if I am a consultant.”
This, she adds, has “stretched” her soft skills and has certainly provided her with the new experiences and developmental opportunities she was looking for when she left Save the Children. Now more than ever, she says, it’s vital for her to build relationships and communicate what internal audit is trying to achieve, how it intends to do it and the benefits it provides.
“What attracted me to internal audit in the first place was that you get exposure to different areas of activity and different functions, which is great for learning,” she says, although she admits that she can find it frustrating not to be responsible for putting recommendations into practice.
However, developing the right soft skills to influence and persuade people to implement the required changes effectively is both vital and rewarding. Bazarova had plenty of
experience working overseas for Save the Children – she visited over 50 countries during her time at the charity – but a new
place still presents new issues. “I wasn’t born with soft skills and finding
the right way to approach things, especially in a new country and culture, involves a long process of trying things out and seeing what works best,” she says. “You even have to be careful about what you say and how you say it when you’re socialising outside work – the jokes you make and light-hearted comments could affect how you come across. One board member told me about a terrible experience he’d had with an internal auditor 20 years ago and it clearly still affected his view of internal audit.”
At the same time, she adds, internal audit has to be prepared to stand up, be critical and, sometimes, persuade people to change set ways. “We talk about protecting and enhancing organisational value, but you can’t do this without soft skills,” she says. “If you’ve got great technical skills but no soft skills and people don’t follow your advice then you’ve only done half of your job.”
CGIAR is a global consortium of 15 independent research centres generating agricultural research to alleviate problems such as poverty, hunger, malnutrition and environmental degradation.
18
sowing a seed
teve Powell is both head of group audit at specialist lender Paragon Group and head of internal audit at its new banking subsidiary, Paragon Bank. Over his career working as an in-house head of audit and as an outsourced provider of internal audit services to new businesses, Powell has set up five different teams. He has worked in a broad range of sectors including financial services, manufacturing and pharmaceuticals, and believes that it is a lot easier to build something credible from scratch if you have a depth of multi-sectoral experience to draw on.
In particular, he recounts setting up an internal audit function from scratch in a large international manufacturing group. He was new to the business so made it his mission to introduce himself to all the key stakeholders and understand what they did. He also had to educate them about what internal audit was going to do. “I think even today, people think you are there to find fault,” he says. “I wanted to make it clear that wasn’t the objective. You need to really emphasise the benefits.”
At Paragon, the group’s internal audit team also provides internal audit services to the bank, so the team wasn’t built from scratch. Nevertheless, Powell had to assess the knowledge and skills gaps that existed for the new business – and plan how to fill them. The group team’s only real deficit was on the regulatory side, so he
recruited some experienced people and also co-sourced some of the planned review work. “We could see a mutual benefit from bringing in external technical expertise to work with our own team so we could learn from each other,” he explains.
He believes the key to success is to engage with stakeholders and to nurture those relationships. “If you can genuinely understand the organisation and make sure that the board and directors are on your side you can engage everybody with what you’re trying to achieve and really make it work.”
Auditing the NHSSimon Gascoigne CMIIA is deputy director of 360 Assurance – a subsidiary of Leicestershire Partnership NHS Trust which provides internal audit services to around 35 NHS trusts and clinical commissioning
Heads of internal audit usually join an established team, but they are occasionally invited to set up a function from scratch. When this opportunity comes along, what are the keys to success – and the challenges? To find out we asked four HIAs with experience of putting new internal audit teams together to share their knowledge and experience of how it’s done.
Words: Wilma Tulloch
s
19
“If you can genuinely understand the organisation and ensure that the board and directors are on your side, you can engage everybody with what you’re trying to achieve and really make it work.”
Words: Wilma Tulloch
20
groups. As the NHS has changed over the years, 360 Assurance’s services have come under commercial pressure. This led Gascoigne and his colleagues to think about how they could differentiate the way they offered internal audit services.
At the same time, 360 Assurance recognised that in an increasingly clinician-led NHS, its audit teams were made up of auditors and accountants. After extensive discussions with customers around what they wanted and needed, it set up a new internal audit function which for the first time included clinicians. This tipped the focus of audits away from the financial and towards the operational.
Gascoigne recalls that taking the plunge to employ the first non-auditor was his biggest challenge. Subsequently, the introduction of the new Clinical Quality Audit Team has gone well. Now in its third year, the team can hardly grow fast enough to meet demand. However, like Powell, Gascoigne found that there can still be resistance to internal audit so an important component was to “sell” the new team. Having clinicians on the audit team has been a big help with this. “If your customer is a medical director you get far more credibility if you are a clinician yourself,” he says.
“But it is about how you position internal audit as well,” he adds. “We have worked very hard at how internal audit is seen. We aim to get the client on board so that they agree there is always
room to improve, and that it is beneficial to work in partnership to identify where those improvements are. It’s about how we can help the organisation to achieve its strategic objectives and build mutual trust and an understanding that we are all trying to get to the same place.”
Corporate focus for NZFS UK member Caroline Steele CFIIA has built a new internal audit function for the New Zealand Fire Service (NZFS). Before she joined, a review indicated that a more corporate-focused audit team was needed. Steele, the NZFS’s internal audit manager, began by holding conversations with senior managers and new colleagues, and combing through documents on governance, business planning and risk to build a picture of the organisation and its risks.
Her next step was to put together an audit plan. This drew partly on her experience of typical audits, but she also considered the aspects unique to the fire service. Steele’s plan indicated how many days of audit work each year the audits would take with different numbers of auditors. Once the plan was accepted, she was able to go out and hire her team.
She also tackled what she calls “the argumentative tension” that existed between internal audit and management. “I picked up previous audit reports. Management would disagree, then internal audit would say, ‘no you’re wrong’. I didn’t think
that kind of back-and-forth process added value for anybody,” she says.
“If people don’t accept your findings you’ve got to build that relationship until they know your work is good enough and credible enough that they can see the value in what you say. It’s about bringing people round to thinking, ‘actually, it’s good to be challenged and to have someone taking an independent look at things’.”
Steele concludes that the key to success has been getting the right people on board. “It’s their efforts day to day that have built the reputation of our team,” she notes. In addition, she believes it’s crucial to nurture relationships with the CEO and the audit committee.
“That gives you a voice at a very senior level and credibility. Although,” she adds, “you have to deliver the quality of work that they want, which is about having the right people.”
A team from scratch at TSBRosemary Hilary is the chief audit officer at TSB Bank. She joined in October 2013, just weeks after it was re-created as a standalone bank by transferring millions of customers out of the Lloyds Banking Group (a condition of Lloyds taking state aid during the banking crisis). She built the bank’s internal audit team almost from scratch, but it was not a new experience, since she’d previously built a team at the Financial Services Authority.
Hilary says that it’s essential to “study the business you are in”
Ten tips for creating an internal audit function 1 Engage with all your
stakeholders and continually nurture those relationships.
2 Position your team as one that will help the
organisation to achieve its strategic objectives.
3 Establish and clearly communicate the vision and
culture of your audit team.
4 Where appropriate, pull individuals from the
business into guest auditor roles – this accelerates the team’s acceptance in the business and brings in vital business knowledge.
5 Seek information and advice from professional bodies,
especially the Chartered IIA.
6Use audit planning and benchmarking data to shape
the team.
7 Design roles carefully to attract the right people.
8 Be forward-looking – for example, try to anticipate the
strains that rapid growth might put on your organisation.
9Understand in the broadest sense what the organisation
needs from internal audit – for instance, think about what every member of the board could want from your team.
10 Work with the organisation, but remain a critical friend.
“If people don’t accept your findings you’ve got to build that relationship until they know your work is good enough and credible enough that they can see the value in what you say.”
21
before you can form a new internal audit team – in TSB’s case, this meant its past, present and future. She then set about creating an audit strategy and universe: “What were the key risks and how we would go about having a strategy to audit them.” She produced a menu of options so that the executive committee “could have a really good quality conversation around what we could do with different levels of resource”. Those discussions established the headcount and budget for the new team.
Hilary also saw it as vital to invest in setting the “tone” of the type of audit function she needed. “I wanted to set out my vision,” she says, “which is to have a function that works with the business so that together we
can create the strongest possible risk management and internal control system. Of course that does mean challenging, but it’s really important that you are part of the business and seen to be a partner.” She therefore looked for people with both the right mix of skills and experience, and the ability to contribute to the “tone” she wanted to create.
She has three main pieces of advice for others in her position. First, it is essential to build good stakeholder relationships among business colleagues and with the audit committee. Second, make sure the audit plan looks to the future. Last, create interesting jobs and career opportunities to attract and retain a high-quality team that will deliver value for the business.
Further informationThe Chartered IIA has produced guidance on setting up a new internal audit function and on models of effective internal audit. These can be found on the institute website at www.iia.org.uk/setupnewia and the models on effective IA at www.iia.org.uk/models
Paragon Group’s internal audit team and 360 Assurance’s Clinical Quality Audit Team were named as outstanding teams in the Audit & Risk Awards 2015, while the internal audit team at New Zealand Fire Service was highly commended.
For more details about this year’s awards visit www.auditandrisk.org.uk/awards
As the NHS has changed over the years, 360 Assurance’s services have come under commercial pressure. This led Gascoigne and his colleagues to think about how they could differentiate the way they offered internal audit services.
22Words: Ruth Prickett
Value poolWhen United Utilities recently underwent a Chartered IIA external quality assessment, its head of internal audit and risk was already quietly confident his team met all the required professional practice standards. He explains why it was feedback on broader processes and a sense of how the organisation benchmarked against others that really added value to the experience.
United Utilities’ head of internal audit and risk, Mark Lenton, was clear about what he wanted from the internal audit team’s recent
external quality assessment (EQA). The organisation had not had an EQA for five years – before Lenton joined the team – and since then it had gone through substantial changes to drive improvement and respond to shifts in both the external regulatory environment and on the senior management team, including a new chief financial officer and chief executive, as well as a new audit committee chair.
United Utilities provides water and wastewater services to around seven million people in north-west England. The sector is highly regulated and recent changes have provided both uncertainty and opportunities, says Lenton. “The regulatory focus is now more on outcomes rather than on inputs and activities, which leaves the company more scope to work out how to do the right things,” he explains. “Partly as a result of this, and to improve operational, customer service and financial performance for key stakeholders, the company has made a huge number of
internal changes. The need for assurance is therefore very high and my team and I have to remain responsive to ensure we focus on the right things, so it’s an interesting time to be in internal audit.”
Lenton was confident that his team was performing well. Ongoing quality assurance and customer surveys were all positive and the executive and audit committee had expressed no particular concerns. However, he was keen to get external verification and feedback, as well as believing that an EQA was necessary if the organisation was to follow best practice guidelines.
“There was no sense that anyone was dissatisfied with what we do, but it’s always a good idea to seek feedback, listen and learn from others,” says Lenton.
“The last EQA focused at a more strategic level, leaving many areas needing detailed review. It did, however, identify significant areas for improvement and found that although the function had good people, it was perceived as underperforming, lacking focus, leadership and management,” he says. “My focus on joining was to transform it, then push on to innovate and improve further.”
23
View from Brian May, audit committee chair at United Utilities “The key decision was not whether to do an EQA, but who should do it. Mark put forward the idea of using the Chartered IIA rather than one of the Big Four accountancy firms and we were very pleased with what this produced. From my point of view it wasn’t time-consuming and I had confidence in the assessor because she’s been a head of internal audit at a FTSE 100 organisation herself. The feedback was well structured and was very positive. This meant there weren’t any huge changes recommended, but I had full confidence in the assessor’s opinion and felt it had gravitas.”
“An EQA could be regarded as threatening, but for me it was an opportunity to showcase what you do, be challenged and learn from others.”
24
To support this, Lenton believes it’s vital that he and his team keep up to speed with wider changes and developments in the profession. He attends institute update courses as well as the Chartered IIA’s leaders forum. Staying abreast of what others are doing (and sharing his own experiences) is, he says, an essential activity if internal audit is to remain relevant, valued and credible.
All these factors meant that Lenton was adamant there was no point doing a tick-box exercise. “An EQA could be regarded as threatening, but for me it was an opportunity to showcase what you do, be challenged and learn from others,” he says. “Complying with standards is important, but all good teams will do this and it doesn’t tell you anything more. It was the opportunity to receive insight and advice that I welcomed.”
The perfect matchLenton knew that he needed to find an EQA provider that could assess what his team was doing to the right depth, would answer questions credibly and would inspire the respect and attention of his team, the audit committee and the chief executive. He considered a range of providers, but was attracted to the Chartered IIA because he saw it as independent, credible and with a clear aim to improve the profession. He also believed it offered a flexible review, beyond the standards. He presented options on providers and discussed these with the executive directors and audit committee, who selected the institute and opted for the full EQA service while using the Chartered IIA’s self-assessment tools to help them prepare.
“The institute also offered us a choice of credible assessors,” Lenton adds. “This gave me confidence because if my most important stakeholders are being interviewed, my team and I need to trust the assessor. They need to make the process as engaging, relevant and rewarding for interviewees as possible; this means having a conversation at the right level with the right authority and understanding the issues to ensure they get the best response from the interviewee.”
It was also helpful, he adds, that they could tailor the timing of the EQA to fit United Utilities’ audit committee schedule. The process was flexible and the assessor was both efficient and willing to use a mix of face-to-face and phone interviews. She also drafted reports as she went along so Lenton could give his feedback and she could get corroboration from other interviewees as the EQA progressed. This flexible approach allowed Lenton to request a one-page executive summary of the findings. Overall, this meant the final report could be completed without delay. It was then shared with the audit committee and executive and, crucially, the assessor joined them in person to present her findings.
“I really enjoyed the process,” Lenton says. “The assessor wasn’t shy about saying what she thought and forming her own views. That’s what made it valuable.” He felt the report, which was extremely positive, was balanced and fair and was delighted that the assessor concluded that the function had
successfully transformed to become a leading-edge internal audit service, and rated their new longer-term planning process as a “world-class” innovation.
“As you’d hope, there were no huge surprises, but internal audit can operate in a vacuum in terms of receiving direct feedback, so it’s great to be told your work is good quality. It made me even more proud of my team – after all, it’s not by luck that we got here,” he says.
The EQA also confirmed that the internal audit team benchmarked favourably with the IIA Global’s maturity model. Lenton particularly valued comments that said they were “listened to, respected and trusted” and “focused on what really matters”, as well as the broader recommendations to support the team’s continuous improvement.
The team was praised for its robust, fully automated action-tracking processes, and the way in which these are supported by networks of audit business partners. Other areas cited included the dual co-sourcing approach and the variety of broader resourcing programmes inviting guest experts and secondees into internal audit. All these contributed to the function’s strong reputation in the business, its effectiveness and the way it co-ordinated assurance, Lenton says. The various ways in which the team develops the knowledge and skills of auditors were also praised.
Looking aheadThe forward-planning process that Lenton and his team were still developing at the time of the EQA had been prompted by the increased need to deliver assurance in a flexible and efficient way and further enhance its quality. Lenton was keen to explain to the audit committee what internal audit could provide and to find ways to ensure that they could see what they were getting and to understand findings. At the same time, he wanted the broader business to understand better the purpose and aims of the audit team.
The new process built on what the organisation had done previously, remaining
United Utilities’ tips for EQA success 1 Prepare well –
give the assessor all the documents they need.
2 Ensure the initial scope is clear and
agreed internally so that it adds value to the organisation and answers all the relevant questions. Make time to get input from all the necessary people.
3 Make sure you get the right supplier
who can answer all these questions and has the right level of credibility.
4 Get the right assessor for your
organisation.
5 Get someone in the team to
project-manage the EQA – it’s valuable experience and an important role.
6 Set time aside to talk to the
assessor. This is an opportunity for both parties to raise questions and speeds up the final reporting process.
7 Use the experience to
showcase what you have achieved.
8 Be prepared to be
challenged and to learn from
others and listen and respond positively to the findings.
“The institute offered a choice of credible assessors. This gave me confidence because if my important stakeholders are being interviewed, my team and I need to trust the assessor.”
25
risk-based but taking it to a new level. First they revised the whole audit universe containing key business processes, systems and activities, plus the legal and regulatory issues that they needed to consider. They sought input from business managers to validate their own views, note any forthcoming changes and associated timescales, and facilitate management’s assessment of key risks.
The team then assessed each area independently to see whether each manager’s view of risk seemed accurate and to gain a view of the risk maturity of the manager and the business area. This helped both validate the audit universe and also gave the internal auditors further insight into the organisation’s risk capabilities. They allocated
scores showing high, medium and low risk to different parts of the audit universe then used this information to develop a rolling forecast of intended audit coverage over five years, and a more detailed plan of the assurance the team would provide over the next year.
“This is a long-term strategic approach and we’re not a slave to saying we have to look at certain things at pre-set times,” Lenton explains. “We can vary the nature, breadth and depth of activities as well as the frequency.”
The real innovation and step-change in the approach was in developing a framework to allocate better the level and type of assurance activity that they felt was necessary and how often this should be performed. To support this, three types or “intensity” of audit activity were defined: a
basic level comprising a tailored self-assessment form completed by the manager and then followed up by internal audit; an intermediate review that considers the design effectiveness of existing controls; and a “deep dive” – a more traditional end-to-end review of key processes and controls.
Each audit type has a defined list of the activities involved and a corresponding resource allocation that are fed back into the plan. The approach enables the team to flex their rolling plan depending on findings, move and adapt the audits they do, and ensure they have the right resources and can respond to developments. It also gives them an overview of the areas that have been audited, to what level and on what dates – as well as highlighting any areas with lower coverage.
Lenton says this approach is useful because he can say to management “I can do x number of audits at this intensity level with these resources. If you need more then we will need more support.” It also means he can better explain to managers why they are or are not auditing a specific area that year. For example, if part of the business is about to implement a new IT system or undergo another significant change, Lenton and his team can defer an activity or change the audit type, scope and timing to keep the assurance relevant.
“It allows a more informed, intelligent conversation about plans,” he says. “But it also means that we can stay flexible, while knowing that important changes are factored in and we won’t miss anything. We can constantly feed back new findings from conversations with managers.
“It hasn’t massively changed what we do or how we do it, but it gives us an extra layer of detail and we’re more confident about the underlying science. The transparency gives other people more confidence in what we’re doing too.”United Utilities was the winner of the 2015 Audit & Risk Award for Outstanding Team – Private Sector. For more details see www.auditandrisk.org.uk/awardsFind out more information about the institute’s EQA service at www.iia.org.uk/eqa
26
The relationship between internal audit and different senior managers varies from organisation to organisation, but the company secretary should be seen as a close ally in most – not least because the two roles share many common characteristics. So how can this work in practice?
Building strong relationships with management while maintaining independence can be a tricky balancing act for internal auditors. Audit
heads need to have a clear understanding of what directors are thinking in order to support them and provide them with useful information, which is something they have in common with the company secretary. While speaking to the CEO is ultimately preferable, and the finance director a strong second (although there are issues about how often audit heads should report to the FD, as well as the topics they should discuss), the company secretary may be able to provide guidance on risk, compliance and control issues more freely because they are required to focus on these areas.
The roles of head of internal audit and company secretary have a lot in common. For example, company secretaries often sit on the audit and risk committee, compile their agendas, look at internal audit reports and check the financial statements from external auditors.
Peter Swabey, policy and research director at the Institute of Chartered Secretaries and Administrators (ICSA), says this is why there is already a close working relationship between the two professions – “both jobs require the same kind of approach”.
“The role of the company secretary should be to appraise the board’s strategic business objectives and to see how these can be achieved ethically and legally. Internal audit’s role is to see whether the organisation’s processes can be relied upon to deliver these objectives,” he says.
“Internal auditors and company secretaries have distinct roles that no one else in the organisation shares,” he adds. “While both professions are there to
support management, they also have a strong role in providing an independent challenge to management and the executive, which puts them at risk of being labelled ‘business prevention officers’,” he says.
Company secretaries should usually report to the board chair, although many report to the CEO with a “dotted line” to the chair – although this is changing, particularly in the financial services sector. Heads of internal audit will more often report to the chair of the audit committee, with a dotted line to the finance director. But Swabey believes that reporting to a “part-time” non-executive director may present difficulties for heads of internal audit, especially on a day-to-day basis, as the audit committee chair will not always be available.
“If heads of internal audit have concerns or queries about governance issues or management strategy that are not major enough to involve the audit committee, then to whom should they report? Raising operational concerns with the finance director may not always be appropriate as it may affect internal audit’s independence to report to him or her on day-to-day issues.”
This is why it may help to cultivate an ally in the company secretary, says Swabey. “Company secretaries have boardroom standing and act as an independent challenge to executives in the same way as internal audit does. They are also on call all the time, as opposed to audit committee chairs. It therefore makes sense for heads of internal audit to consult with company
Words: Neil Hodge
Common cause
27
“Heads of internal audit can never have too many friends, and one with a foot in the boardroom and a similarly independent role can be helpful.”
“It makes sense for heads of internal audit to consult with company secretaries because both functions are independent of the executive and both have the same goal.”
28
secretaries on certain issues because both functions are independent of the executive and both have the same goal.”
He suggests that audit heads and company secretaries can collaborate in several areas. For example, heads of internal audit can play an active role helping to induct new directors (executives and non-executives) and making them aware of the organisation’s risk profile, internal control framework and risk appetite.
Company secretaries should in turn use internal audit as a valuable resource to get a better idea about operational risks and controls. “Internal audit is one of the few functions within the organisation that actually has on-the-ground knowledge of how different departments work in reality, what their risk profiles are like, and how well the people working within these departments appreciate risk levels and understand risk management and internal control,” Swabey says.
“It is hard to gauge these kinds of issues just by looking at reports and hard data – you need to get a feel for what is happening and internal audit can provide that input and give an independent viewpoint.”
Swabey adds that internal audit can help company secretaries to understand the “culture” of the organisation. “Company secretaries are aware of what the ethical tone of the organisation should be, but they don’t have the level of insight that internal audit has about how the ‘tone from the top’ is cascaded down the organisation and understood in reality. It therefore
“A recent statutory instrument under the Companies Act 2006 requires the strategic report from the boards of all listed companies to include a description of the risks facing the company and how these are managed. How can I do this without internal audit’s input?”
makes sense for both functions to liaise more regularly to share their findings and concerns.”
There is no specific Chartered IIA-related guidance or favoured approach on how heads of internal audit should work with the company secretary. However, the institute’s Standards and International Professional Practices Framework encourages internal auditors to work with others in the organisation as part of their goal to provide high-quality assurance.
The institute has also published guidance on the roles of internal audit around risk appetite and culture, which may prove useful given the company secretary’s duties to inform the board and shareholders in the annual report about risks to the business.
Chris Baker, technical manager at the Chartered IIA, says that company secretaries can also approach heads of internal audit with queries when they need information, rather than wait for finished reports. “Company secretaries need assurance on risk information to help inform executive decision making. Internal audit can give advice on whether controls are adequate and can say where controls have failed and what has happened as a result. If company secretaries want to ask questions on a rolling basis, they are free to do so,” he says.
Baker believes that more frequent meetings – formal or informal – between audit heads and company secretaries may prove useful. “Having meetings between internal audit and the
company secretary can help to inform the audit plan and what
areas internal audit should be looking at,” he says.
Many company secretaries already enjoy good working relationships with heads
of internal audit. Richard Russell has held a variety of
chartered company secretary roles since 1975 in organisations including defence company British Aerospace, magazine publisher Emap, property developer Hammerson and, latterly, Guinness Peat Group (now Coats Group), an investment holding firm.
He believes that greater corporate governance requirements have strengthened the relationship between company secretaries and internal audit over the years, particularly as the company secretary is usually the secretary of several committees, including audit and risk.
“One of the company secretary’s key roles is to prepare the various reports to shareholders, including the annual report. A recent statutory instrument under the Companies Act 2006 requires the strategic report from the boards of all listed companies to include a description of the principal risks and uncertainties facing the company and how these are managed. It has always fallen to me to prepare this content, which includes the section on internal and financial controls. How can I do this without internal audit’s input?” he asks.
“Furthermore, I’m not just looking for facts and figures, but
Str
ateg
ic
repo
rt
29
an opinion based on evidence on the ground. With the increasing focus on risk and uncertainty, the company secretary relies heavily on the internal auditor to keep abreast of operational developments so that he/she has the necessary information to put before the audit and risk committees, as well as the board,” he says.
“The internal auditor with their detailed knowledge and experience of the operations of the company can inform and support the committees on a regular basis, and can also take back any consequent feedback,” Russell adds. “The better the relationship between the company secretary and the head of internal audit, the stronger the
governance framework will be, as well as the appetite for risk.”
Russell says :“The last head of internal audit I worked with was terrific. He had a good feel for the operational risks that the company faced and he had visited all the overseas sites and knew how they worked and what needed to be done. He gave incredibly good feedback and risk information to me, as well as recommendations for improvements or areas that should be prioritised, and I was able to pass this on to the board with confidence.”
Susan Swabey, company secretary at medical technology company Smith & Nephew, says that she has found internal audit to be “a natural ally”. This is
because “we tend to think the same way and we both have a similar role to play. While we both report to management, we also report to the non-executives and so we provide assurance as well as an independent view.”
She adds that she has always had a good working relationship with internal audit. “Company secretaries work with internal audit to help compile the audit committee agenda papers and write part of the corporate governance statement in the annual report. The closer the relationship is, the more detailed and precise that information will be.”
She says that she would always encourage company secretaries and heads of internal audit to
spend more time together. “This does not need to be a formal arrangement – the relationship can become closer just through informal chats and knocking on the office door to ask questions or raise concerns. It is important that internal audit knows they can come to us at any time and that we may also approach them when we need to.”
Heads of internal audit can never have too many friends, and one with a foot in the boardroom and a similarly independent role can be helpful. Whether audit heads will want to consult with the company secretary as a first or last resort will depend on the circumstances – but it is always good to have options.
“Audit heads and company secretaries can collaborate in several areas. For example, heads of internal audit can play an active role helping to induct new directors.”
30
Words: Ruth Prickett
The practice of outsourcing, or contracting out one or more elements of an organisation’s operations, has become common as large businesses seek to reduce costs, access technological expertise or improve customer value. These benefits apply to both private and public sector organisations – the UK government doubled the amount it spent on outsourcing between 2010 and 2014 to around £90bn. The total is likely to grow as budget cuts and spending freezes prompt organisations of all kinds to outsource more functions.
However, there are pitfalls. Corporate failures and scandals arising from outsourcing have taught commissioning organisations that the tactic has risks. Suppliers who fail to live up to their obligations can cause serious reputational damage and, however good your contract, you can’t outsource all risk.
This problem isn’t going away. A company may have complex supply chains that span continents, but the contract between the commissioning organisation and the supplier still lies at the heart of the relationship. This is where internal auditors can add value.
A new report by the institute, “Auditing outsourced services”, outlines various approaches to managing the risks associated
with contracts and looks at best practice in leading internal audit functions in five organisations in the private and public sectors. Along with the institute’s technical guidance on outsourced services and extended supply chains, this is intended to help internal audit teams as they enter the debate on contract management and how it can be audited. The key findings in the report• Outsourcing the service does not outsource the risk. Organisations that engage in outsourcing services all seek competitive advantage. However, this may lead them to overlook risks that they wrongly believe to have been transferred to a supplier. Some may think that they have thrown the risk “over the fence”, but this is a mistake – ultimately, they will still suffer from any reputational damage.• The risks associated with outsourcing can be serious. The case studies highlight a number of risks borne by the commissioning organisation including: poor visibility of individual contract performance; lack of contract management skills; poor relationship and interaction with contractor; inconsistent approach to day-to-day contract management; third-party provider ethical/
cultural issues; and unclear roles and responsibilities within the contract management team. Overlooking such risks may cause service failure or delay, extra costs or reputational damage. • Internal audit can support boards over outsourced services. The board and senior management should want assurance that outsourcing risks are being managed. If outsourced services are of strategic importance they should feature on internal audit plans. Over time, assuring outsourced projects is likely to become a regular feature of internal audits in all sectors. The precise role, timing and extent of internal audit’s involvement will depend
Public and private sectors alike have embraced outsourcing as a way to improve services, buy in specialist expertise and cut costs. However, some organisations have found out the hard way that outsourcing does not mean offloading all risks. A new report by the Chartered IIA examines the role of internal audit in managing those risks and asks five leading organisations to share their experiences and lessons learnt.
Out of sight, out of mind?
31
£90bn The UK government doubled the amount it spent on outsourcing between 2010 and 2014 to around £90bn.
Outsourcing in a nutshellOutsourcing is the process of contracting out one or more elements of operations to a supplier outside the organisation’s management structure. Organisations engage suppliers as part of their strategy to deliver operational objectives. A third party wins a contract to provide the service at an agreed price. In many cases a third-party service provider delivers services for, and in the name of, the organisation to its clients.
Outsourcing activity is carried out through the procurement process. Commonly outsourced areas include back-office functions such as HR or facilities management. More complex outsourcing arrangements include IT support, logistics and supply chain management. The key drivers for outsourcing are cost reduction and access to expertise.
The consequences of poor contract management are broadly:• Service failure or delay – the third party fails to deliver the service or does not deliver to the standard specified in the contract.• Higher costs – the costs rise because of changes to prices or the quantity and quality of services delivered. These additional costs may not represent value for money, which ultimately concerns taxpayers or shareholders.• Reputational damage – the third party behaves in a way that harms the reputation of the customer organisation.
Regulatory penalties for third-party actions can also affect the achievement of strategic objectives. For example, the Financial Conduct Authority fined three banks in the UK £42m for failures in IT managed by third parties, which prevented the banks’ customers from accessing banking services.
on the perceived risk it presents to the organisation, the board’s risk appetite, and the cost and complexity of the outsourced service.
Lessons for internal audit• Get involved early to help avoid contract failure. This includes reviewing the process behind the decision to seek an external service.• Assess how well risk is being jointly considered by the commissioning organisation and the supplier. • Ensure that the audit coverage matches the scale, nature and number of contracts.• Audit teams working on contract audits
should ideally be multidisciplinary, with contract management experience where necessary. • Internal audit can add value by benchmarking supplier/contractor performance to drive overall improvements. • Right-to-audit clauses are common – it is important to invoke this clause where high value or high profile contracts are involved.• Don’t rely on a purely systems-based approach, but complement this with substantive testing to see the consequences of control failure.• Where there are several layers of assurance on a large project involving many contractors and complex interfaces, ensure that assurance is co-ordinated so that audit does not hamper progress. Internal audit has a key role to play When a service is contracted out internal audit can get involved in the following ways.• Strategic intent and feasibility. Provide assurance that managers are using the recognised process to complete a feasibility study to show there is a clear business case aligned with the organisation’s strategic objectives.• Implementation and management. Review the supplier selection process and assess whether the organisation has adequate and effective policies and procedures for tendering.• Contract management arrangements. Examine the performance management arrangements when a contract is operating.
The first section of the Chartered IIA report considers why outsourcing is important and the role that internal audit can play. The second section examines five case studies that lay out different approaches to managing outsourcing contracts and the lessons learnt from each organisation’s experience. The organisations that took part in the report are: Crossrail, the largest
construction project in Europe, sponsored jointly by the Department for Transport and Transport for London; the Ministry of Justice; the Home Office; the BBC; and EDF Energy. To read the full report, visit www.iia.org.uk/outsourcingreport
Take the CIA and join the global profession
www.iia.org.uk/ciaREGISTER TODAY
www.iia.org.uk/ciaworkshopsBOOK YOUR PLACE
What will you learn?
Tools and techniques to establish a risk-based internal audit plan
How to conduct and manage engagements
How to evaluate fraud risk and controls
Principles of governance and business ethics
How to analyse business processes
The latest IT security and system risks
Financial management conceptsWhat will it cost?Registration, exam fees and
the CIA Learning System £1,295 +VAT
Workshop dates
CIA part 1 9–10 Feb, London 8–9 Mar, Manchester 19–20 Jul, London
CIA part 2 26–27 Jan, Bristol 14–15 Mar, London 5–6 Jul, Manchester
CIA part 3 8–11 Mar, London 24–27 May, Bristol 13–16 Jun, London
Want to pass first time? Take face-to-face tuitionOur CIA exam workshops cover the entire syllabus. They are led by tutors who are experienced internal auditors and familiar with the CIA exams. Workshops complement the CIA Learning System and give you the best possible chance of exam success.
Some fees are payable in US dollars. The exchange rate is based on $1 = £0.644.
The Certified Internal Auditor (CIA) is the only globally accepted certification for internal auditors, and it’s recognised as the mark of competency and professionalism worldwide.
Studying for the CIA is very flexible – you can learn at your own pace and take the exams whenever you’re ready. Tuition is optional but you will have access to the CIA Learning System, which includes text books and an online tool that will generate a unique study plan for you.
IIA3054 CIA ad AW.indd 1 07/10/2015 09:37
business unit audit committees. I would appreciate any guidance/insight that you can provide.A. We are seeing internal auditors at various levels move into management roles. This has always happened as good people in internal audit are prime candidates for promotion. It rewards their hard work and keeps them in the business. It also means that people with an audit mentality take that outlook into their new roles. A bit of turnover in internal audit is also not a bad thing.
Once the head of internal audit becomes part of the management team it is then up to the senior executives to deploy that person
as they see fit. It is unusual for someone to take up the position of chair of an audit committee within the business, but there is nothing preventing that from happening – and it could be regarded as a sound move given the person will undoubtedly have very good knowledge of the audit process.
I would only be concerned if there were undue pressure and influence on the internal audit team to change the audit plan – in other words, interference with the independent choices made by internal audit on what to audit and undue influence upon what is written in audit reports, ie, leniency. However, it is up to the new head of internal audit to make sure that doesn’t happen.
Got A questIon? Contact the Chartered IIA technical helpline on 0845 883 4739 or
email [email protected]
Q&AYou asked us
our technical helpline provides valuable advice to members on a host of professional issues. Here are some of the questions you’ve submitted recently.
q. When carrying out a routine audit to confirm assets have been disposed of and removed from a record, would it be sufficient for the auditor to record the relevant details on a working paper/spreadsheet or would a copy of the actual record showing the items’ removal and a copy of the voucher/approval for removal be expected for each item tested?A. Standard 2330 Documenting Information states that: “Internal auditors must document relevant information to support the conclusions and engagement results (www.iia.org.uk/performancestandards).“ Practice Advisory 2330.1 (www.iia.org.uk/documentinginformation) gives some further information but does not specify to that level of detail on the collection of audit evidence. I would check to see if your internal audit manual stipulates any particular requirements. If not, I would suggest a “sample” of the record tested to be retained with the working paper for reference and possibly copies of any records where errors have been identified.
There is additional guidance provided in this area on ”How to Gather and Evaluate Information“ – www.iia.org.uk/evaluateinformation – and ”Top Tips on Working Papers“ – www.iia.org.uk/toptips – which you might find useful.
q. We have inherited an internal audit rating and scoring system from our head office that we have been using in recent years. now we are thinking of upgrading our system to something
more in line with current practices. Would you be able to provide me with some images or materials relating to some current rating and scoring systems used in the industry? I am hoping that this will help me to design our next-generation system.A. There is no right or wrong way to rate or score internal audit reports, just different styles according to preference and circumstances. Having said that, we have built up a picture of what some people are using in different sectors so you can judge whether your methods look better or worse. See www.iia.org.uk/deliveringfindings
q. I have recently moved jobs within the same organisation from head of internal audit into a group finance role. I am concerned about a conflict of interest as part of this new role will be assuming chair responsibilities on
33
After nine years, PaulCharlton CFIIA has stepped down from his role as senior chief examiner for the institute’s exams. Charlton has overseen the IIA Diploma and IIA Advanced Diploma
professional qualifications and the IIA IT Auditing Certificate during his term of office, and we would like to extend our thanks to him for his significant contribution to the institute during this time.
At the AGM on 15 October, Dr Mark Carawan FIIA was elected president and Paul Boyle OBE FIIA was elected deputy president of the institute. Carawan is Citigroup chief auditor and managing director responsible
for the audit and risk review department. He has served on the
Chartered IIA’s council, nominations committee and
the professional development committee. Boyle is chief audit officer at Aviva and is the current chair of the institute’s professional development
committee; he has also served on the business and
finance committee. Grant Morrison CMIIA was re-appointed as chair of the audit committee. All other resolutions were passed. For a full report visit www.iia.org.uk/AGMreport
Institute CEO Dr Ian Peters presented Tamas Hofer, one of the first successful candidates to complete the Citi Internal Audit Foundation Academy, with his certificate at a special ceremony in June. The institute has accredited the Citi programme so that candidates are also awarded the IIA Certificate in Internal Audit and Business Risk (IACert). Citi joins Barclays, Standard Chartered Bank and BAE in achieving such accreditation of their in-house programmes.
New policy and external relations director appointedThe institute has appointed a new director of policy and external relations, Alisdair McIntosh, who brings with him over 25 years of experience in policy-making and public affairs.
Alisdair will be responsible for leading the institute’s policy programme, engaging with key business leaders, policy-makers and regulators to promote and develop the role of internal audit in improving corporate governance, risk management and internal controls.
One of Alisdair’s key priorities will be to build on the work the institute has done to develop internal audit across
the financial services sector, including monitoring the implementation of its 2013 financial services code, which was promoted by the institute, the Financial Conduct Authority and the Bank of England.
Alisdair has held a series of strategic leadership roles in the UK and Scottish governments, and at the European Commission in Brussels. Latterly he was director of Business for New Europe, the leading pro-EU business organisation, and an advisor to TheCityUK, the representative body for UK financial and related professional services.
Looking for more? go onLineVisit www.auditandrisk.org.uk for more internal audit news and a range of resources to help you do your job.
InSTITuTEnEwS
34
Carawan is Citigroup chief auditor and managing director responsible for the audit and risk review department.
Senior chief examiner steps down
First IACert graduate for Citi’s internal audit academy
Carawan elected institute president
The UK group of companies and LLPs trading as RSM is a member of the RSM network. RSM is the trading name used by the members of the RSM network. Each member of the RSM network is an independent accounting and consulting firm each of which practises in its own right. The RSM network is not itself a separate legal entity of any description in any jurisdiction. The RSM network is administered by RSM International Limited, a company registered in England and Wales (company number 4040598) whose registered office is at 11 Old Jewry, London EC2R 8DU. The brand and trademark RSM and other intellectual property rights used by members of the network are owned by RSM International Association, an association governed by article 60 et seq of the Civil Code of Switzerland whose seat is in Zug.
What if you had more answers than questions?
FIND CONFIDENCE THROUGH TAILORED INSIGHTS
To make confident decisions about the future, middle- market leaders need a different kind of adviser. One who starts by understanding where you want to go and then brings the ideas and insights of an experienced global team to help get you there.
rsmuk.com
The basics of risk-based internal auditing Here is an explanation of RBIA from the 2005 guidance:• RBIA is not about auditing risks but the management of risks. • It ensures that internal audit resources are directed towards assessing the management of the most significant risks.
• RBIA takes account of the audit committee’s assurance requirements. • It informs management and the audit committee of any risks on which assurance will not be provided. • RBIA justifies the number of
internal auditors required. • It requires interviewing, influencing, facilitating and problem-solving skills. • It ties all aspects of internal auditing together from objectives through to reports. • It identifies residual risks that
are not in line with risk appetite. • It assesses the risk maturity of the unit or area being audited and reports this to management and the audit committee. • RBIA makes clear and unambiguous conclusions on risk management.
Tools for the job
Since early 2014 the technical team and the institute’s volunteer writing group have been working on guidance to support the tenth anniversary of An Approach to Implementing Risk-Based Internal Auditing.
We have worked on the premise that the definition of risk-based internal auditing (RBIA) and the underlying objectives are as pertinent today as they were in 2005. If you re-read the detail of the guidance – and we urge everyone to do so – we are confident you’ll be able to pick out a range of valuable advice that is just as sharp and meaningful as it was ten years ago.
The Chartered IIA defines RBIA as a methodology that links internal auditing to an organisation’s overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to risk appetite. The aim of RBIA is to provide the board with the assurance that it needs on three areas:• Risk management processes, both their design and how well they are working.• Management of those risks classified as “key”, including the effectiveness of the controls and other responses.• Complete, accurate and appropriate reporting and classification of risks.
There is no doubt in our minds that the
2005 guidance was groundbreaking and that it has stood the test of time. We have therefore resisted the temptation to tinker with the content because it spells out in clear terms how internal auditors can provide a valuable and much-needed assurance role in a world of change and uncertainty. If anything, that role and the risk-based approach has become even more relevant – so if something isn’t broken, why fix it?
We have published seven pieces of guidance to bring the
collective knowledge and experience around risk-based
auditing to our members.
RBIA: standing the test of time
Instead we have tried to build and reinforce the messages within the 2005 guidance by providing practical advice and tools based on what effective internal audit functions have been doing. The beauty of RBIA is that it is principle-based, so organisations are able to put into practice what works for them. Through external quality assessments (EQAs) we have been able to see how good RBIA works but also identify areas where some internal audit functions struggle. The guidance we have written in the past 18 months attempts to share best practice and fill the gaps for people who need help.
We have published seven pieces of guidance to bring the collective knowledge and experience around RBIA to our members. Here is a list of the guidance with links to the resources section of our website: • How to set up an internal audit activity (www.iia.org.uk/setupnewia)• Annual internal audit coverage plans (www.iia.org.uk/auditcoverage) • Risk-based internal audit plans in financial services (www.iia.org.uk/
rbiafs) • Audit universe (www.iia.org.uk/audituniverse) • Risk appetite and internal audit (www.iia.org.uk/riskappetite) • How to plan an audit engagement (update) (www.iia.org.uk/auditengagement) • What an effective risk-based internal audit looks like (www.iia.org.uk/goodrbia)
36
Planning an external quality assessment? Be prepared.
Are you planning an EQA or new in post? The Chartered IIA’s readiness assessment will give your internal audit function a comprehensive health check and make sure you’re fully prepared for your next effectiveness review.
The service is carried out by our experienced review team and it will:
• Highlight any weaknesses in your processes and practices
• Identify potential risks to your organisation’s conformance with the standards
• Give you clear guidance on how to address any issues and improve performance
• Help you to establish a culture of continuous improvement and develop training plans
Why use the Chartered IIA?Our independence means you will get a completely objective review and because we set the standards, we truly understand them. We also have no interest beyond promoting and developing the profession, so we’ll never try to sell you other services or take over any aspect of your internal audit function.
Visit www.iia.org.uk/readiness
Call 020 7498 0101
GET A QUOTE
IIA3053 EQA ad AW.indd 1 29/09/2015 15:33
38
Student noticeboard
Extenuating circumstancesMembers who wish for extenuating circumstances to be considered in relation to their exams should ensure that they read the policy in full before making a submission by visiting www.iia.org.uk/extenuatingcircumstances
Studying to become chartered? Boost your chances of passing the case study exams first time. Our new online learning system will make sure you’re well prepared, with concise study texts, practice case studies, quizzes and podcasts. Find out more at www.iia.org.uk/charteredstudy
PEJ completionDon’t put off completing your professional experience journal. It’s much easier to record your experience while you study instead of waiting until after you’ve passed the exams. If you write little and often, you’ll soon fill it. And remember, you won’t be awarded your designation until your PEJ has been submitted. Download a PEJ template and find tips on completion at www.iia.org.uk/pej
StudentnoticeboardEssential information for students is available at www.iia.org.uk/students
IIA Diploma examsMoDule DAte tIMeP1 – The internal audit environment 23 Nov 9.30am to 12.40pm
P2 – Financial risks and controls 24 Nov 2 to 5.10pm
P3 – Internal audit practice 24 Nov 9.30am to 12.40pm
P4 – Information systems auditing 25 Nov 9.30am to 12.40pm
P5 – Corporate governance and risk management 26 Nov 9.30am to 12.40pm
P7 – Internal audit practice case study 26 Nov 2 to 5.10pm
IIA Advanced Diploma examsMoDule DAte tIMeM1 – Strategic management 23 Nov 2 to 5.10pm
M2 – Financial management 24 Nov 2 to 5.10pm
M3 – Risk assurance and audit management 25 Nov 2 to 5.10pm
M4 – Advanced internal auditing case study 26 Nov 2 to 5.10pm
IIA It Auditing Certificate examMoDule DAte tIMe A1 – IT Auditing Certificate multiple choice questions 23 Nov 9.30 to 11.30am
CIA exam preparation workshopsMoDule DAte loCAtIon CIA Part 1: Internal audit basics 9–10 Feb London
CIA Part 1: Internal audit basics 8–9 March Manchester
CIA Part 2: Internal audit practice 26–27 Jan Bristol
CIA Part 3: Internal audit knowledge elements 8–11 March London
CMIIA workshopsMoDule DAte tIMe QIAL case study 1: Internal audit leadership 7–8 Jan London
QIAL case study 1: Internal audit leadership 28–29 Jan Manchester
QIAL case study 2: Organisational leadership 13–14 Jan London
QIAL case study 2: Organisational leadership 26–27 Jan Manchester
QIAL case study 3: Ethical leadership 21–22 Jan London
QIAL case study 3: Ethical leadership 11–12 Jan Manchester
QIAL interview and presentation 1–2 Feb London
www.iia.org.uk/charteredFIND OUT MORE AT
Boost your chances of passingTo pass the exams and be ready to lead an internal audit function you will need to demonstrate strategic and leadership skills as well as showing advanced technical internal audit knowledge.
Our new online study system will teach you everything you need to know, and you can work through the syllabus at your own pace.
Save time by reading our concise study texts
Learn on the move – download study texts to your e-reader
Practise analysing case studies
Take quizzes to help reinforce your learning
Contact your tutor for advice and support
If you’re already qualified in internal audit, why not maximise your potential and raise your profile by becoming a Chartered Internal Auditor?
Chartered status is the gold standard in the professional practice of internal auditing and the CMIIA designation denotes the highest level of professional excellence.
Become a Chartered Internal Auditor Master the strategic and technical skills required to be an effective leader
New exams lead to chartered status This year we changed the exams that lead to chartered status to align with IIA Global’s qualification framework. That means we’ve introduced the Qualification in Internal Audit Leadership (QIAL). The three QIAL case study exams lead to chartered status and members can also complete a fourth component – a presentation and panel interview – to gain the full QIAL qualification.
www.iia.org.uk/charteredstudyFIND OUT MORE AT
How can you become chartered?
1
Pass three case study
exams
2Complete a professional experience
journal
3
Be awarded the CMIIA
designation
IIA3055 QIAL ad AW.indd 1 09/10/2015 12:32
BT’s Group Internal Audit (GIA) is in the unique position of getting truly under the skin of all divisions in this fast-paced, ever-changing, global technology business. GIA provides independent and objective assurance to senior management and the Board, providing business-critical advice as to the adequacy and effectiveness of key controls and risk management. All of our Internal Auditors are known for delivering high quality, reliable advice to clients and colleagues across BT. We have an enviable track-record of promotions within the division and to other roles across BT. We are currently recruiting for vacancies across our IT, finance and operational audit teams.
Responsibilities:Planning,performingandreportingofauditsonariskassessedbasis,usingappropriate,flexible,andcosteffectivemethodologies.Thesewillbeinlinewithprofessionalanddivisionalstandardsandcustomerneeds,actingeitherasleadauditororinsupportofothers;
Trackingauditrecommendationstoensureimplementationisachievedagainsttargetsandthattheremediationiseffective;
UndertakingSox404compliancetestingassignmentsinaccordancewithDivisionalSoxtimescalesanddocumentationstandards;
Keepingup-to-datewithexternaldevelopmentsandbusinessinsightofspecifiedbusinessoperations,strategicimperativesandbusinessrisks;
Identify,anticipateandrecommendtheneedforchangestotheauditplan,inresponsetochangingriskprofilesandbusinessneeds;
Proactivelyassistsintheidentificationanddevelopmentofleadingedgemethodologiesandbestpractice.
Desired skills and experience: FullyCMIIA,CISAorACAqualified(orrecognisedequivalent).
Provenabilitytoprovidebusinessinsightofspecifiedbusinessoperations,strategicimperativesandbusinessrisks.
Strongunderstandingofriskandcontrolmanagementframeworks.
Relevantbusinessorauditexperiencewithcommercialandfinancialacumen.
Excellentcommunicationskills,bothverbalandwritten.Salary:£40,000–£52,000dependentonroleandexperienceplus10%bonusLocations:London,Birmingham,Reading,SheffieldandNewcastle
To apply, please send your CV and current package details to [email protected] as soon as possible
BT Advert_IIA_F.indd 1 20/10/2015 15:17
Book early and save
Training
February 2-4 An introduction to internal auditingYork
23-24Risk-based internal auditing – an audit management course London
March 7 Lean auditing – delivering added value from audit in an efficient wayLondon
Training
Training courses We provide comprehensive training on every aspect of internal auditing. Save on all courses when you book three months ahead. Browse and book at www.iia.org.uk/courses
8-9 Heads of internal audit – induction master classLondon
8-9A practical guide to evaluating risks and controlsLondon
10 Assurance mapping – a practitioner's workshopLondon
11Successful strategies for audit managers – a master class London
15-16 Auditing contracts, outsourcing and procurementLondon
15-17An introduction to internal auditingSurrey
17Controls and human behaviourLondon
22-23Techniques for effective trainingLondon
41
Exciting opportunities in Internal AuditAt RBS, we are focused on becoming the UK’s number one bank for trust, customer service and advocacy by 2020. Internal Audit is central to delivering on that ambition and we are creating a world class Audit Function with top talent and fantastic opportunities to enhance your career within audit or other areas of the Bank. We are looking to recruit Audit Managers and Senior Audit Managers to work with some of the most visible and dynamic parts of our business; Personal and Business Banking, Commercial Banking, Risk and our Operations and Technology teams. The ideal candidate is a high calibre individual with strong risk-based audit experience and the interpersonal skills to build trusted and credible relationships with senior stakeholders in these highly visible and influential roles.The roles are based in either Edinburgh or London. Please visit our careers site for more details job.rbs.com, or if you would prefer to discuss our opportunities informally and in confidence, please contact Scott Somerville on 0131 626 5024 or [email protected]
42
November 4 November
IIA North West – Conflict management: an essential skill for audit and risk professionalsManchester
5-6 NovemberIIA Scotland – Annual conferenceEdinburgh
12 NovemberIIA North East – Culture club Leeds
12 NovemberQualifications open eveningLeeds
17 November Qualifications open evening Birmingham
20 November IIA/FAP annual conference London
26 NovemberQualifications open eveningBristol
December 5 December
IIA Midlands – Networking bingo Birmingham 9 DecemberIIA South West – Corporate governanceCongresbury
Events
Regional events and networking Our extensive volunteer network provides local support to members across the UK and Ireland. Each region organises a programme of events to help members network and stay up to date with developments at the Chartered IIA. Find out more at www.iia.org.uk/regions
Browse and book our programme of events at www.iia.org.uk/events
IIA Scotland conference
At this two-day conference on 5–6 November you will hear from senior
practitioners on topical risk areas and take part
in interactive sessions. The conference will be
followed by a dinner. Book your place at www.iia.org.uk/scotlandconference
Qualificationopen evenings
Serious about a career in internal audit? Why
not come along to an open evening and find out more about taking
IIA qualifications? Visit www.iia.org.uk/openevening
to find out more.
Volunteer for the institute
We are always looking for volunteers to join our regional network.
If you have time to spare and you’d like
to get involved, please visit www.iia.org.uk/
volunteer
VICE PRESIDENTLondon, up to £100,000 + bonus + benefitsA world renowned investment banking house is looking for a VP to join its fixed-income internal audit team. You will be joining one of the most diverse investment banks in the world providing comprehensive markets, industry, product and advisory expertise to more than 100,000 plus businesses across the globe. You will be responsible for audits across the rates, FX and structured products businesses, as well as liaising with other IB businesses as required. This sought after institution prides itself on offering its employees a fast-paced working environment with fantastic career progression. Ref: 1795131Contact Joshua Charles on 020 3465 0533 or email [email protected]
SENIOR INTERNAL AUDITOR Manchester, £50,000-£55,000 + excellent benefitsA leading financial services business specialising in insurance and consumer credit now seeks a senior internal auditor. Working as part of the 3rd line assurance function, you will be a key figure in ensuring that the business is not put at risk. You will plan, conduct and report on assignments across the full scope of business activities. This role offers you the chance to gain a broad range of audit experience within the framework of a large company that provides great career progression. An accountancy or audit qualification is essential for this role. Ref: 2579226Contact Mike McGibbon on 0151 239 1294 or email [email protected]
SENIOR IT AUDITORLondon, up to £60,000 + bonus + benefitsAn exciting and rapidly growing technology business is currently recruiting a determined internal IT auditor to join its team. Reporting directly into the Head of IT Audit, you will be responsible for leading internal projects and providing business wide assurance. This is a relatively new function and would suit an individual who is driven and has the desire to influence the long-term growth of an organisation. This is a fantastic opportunity to be part of a growing company with lots of exciting challenges, developments and opportunities in the year ahead. Ref: 2540293 Contact William Dale on 020 3465 0012 or email [email protected]
INTERNAL AUDITORCity of London, up to £50,000 + bonus + benefitsThis global insurance firm has recently acquired a Lloyds market re-insurance function and is now recruiting for an internal auditor to join its team. You will be joining a publically listed billion dollar company providing insurance, re-insurance and speciality insurance lines across EMEA, Central and Northern America and Asia. You will work directly with the audit partner across financial, operational and SOX audits in an autonomous environment. This is a fantastic opportunity for someone looking to move into a diverse, progressive and exciting new workplace. Ref: 2565908Contact Callum Martin on 020 3465 0533 or email [email protected]
YOUR NEXT BIG MOVE IN AUDIT
hays.co.uk/corporate-governance
This is just a selection of the opportunities we have to offer, visit us online to search for your next big move.
CG-13958 Audit & Risk 01.11.2015.indd 1 14/10/2015 16:51
IIA 255 x 205.indd 1 15/10/2015 10:16
corporate governance recruitmentBanking
Internal Audit ManagersLondon/FlexibleTo£65–75,000+BensDue to expansion and a change in internalaudit structure this respected private bankand wealth manager is seeking to recruittwo Internal Audit Managers to workclosely with the Group Head of Audit. As aManager you will help develop the annualplan as well as deliver those auditsassigned to you. Candidates will beconsidered from internal audit, consultancyand also compliance backgrounds. CASSexposure would be beneficial.
Internal Audit ManagerWest MidlandsTo£60,000+Car+BensAn opportunity has arisen to join one of themain challenger banks at their corporateoffice. Their core business is providing retailbanking services including a range of lendingand savings products. Based at their officein the West Midlands they are seeking anexperienced internal audit professionalwith extensive financial sector experience.Reporting to the Chief Internal Auditor youwill form part of a small experienced teamplus co-sourced assistance.
Corporate Audit ManagerLondonTo£80,000+BensOur client, a successful global bankinggroup, is seeking a Corporate AuditManager. You will be involved in reviewingcontrols surrounding structured finance,corporate lending and credit risk. Workingclosely with senior business managers youwill plan and lead international audits andreview regulatory issues and operationalprocesses. The role offers an insight intocorporate banking activities and offersexcellent career development opportunities.
AVP Audit, Global MarketsLondon/FlexibleTo£80,000+BensThis international bank is growing itsinternal audit department. They are seekingan AVP Audit to undertake a variedportfolio of audits across their globalmarkets business as well as supportingother functions. You will be a qualifiedinternal auditor with a good understandingof recent regulatory developments.Relevant internal or external auditexperience from an investment banking orcapital markets background is desired.
For further details of positions inBanking contact David Hornsby020 7936 [email protected]
Financial Services
Group Internal AuditorMidlandsTo£45,000+Car+BensOur client, a household name insurancegroup, is seeking a group internal auditorto report directly to the Group AssuranceManager. You will deliver audits acrossareas such as financial / operationalcontrols, risk & compliance and will alsobe expected to contribute to thedevelopment of the annual internal auditplan. You will be required to interact withsenior stakeholders, challenge processesand bring new ideas to the business.
Assistant Audit ManagerSouth WestTo£52,000+BensOur client is one of the UK's leading retailfinancial services groups with an excellentreputation for investing in and developingtheir staff. As an Assistant Audit Manageryou will report to the Head of Internal Auditand conduct risk focused audits which willcontribute to the continuous improvementof control processes. You will engage withstakeholders at all levels, ensuring thataudit findings are agreed and action pointsand solutions are implemented.
Head of AuditCityTo£120,000+BensThis leading City based Lloyds Insurer isseeking to recruit a Head of Audit. You willbe professionally qualified and havefinancial services experience which shouldinclude relevant insurance industry andteam management experience. AttendingAudit Committees and liaising with seniorstakeholders will require personal andprofessional credibility. Candidates whoare currently working within a consultancyenvironment will be of interest
Audit ManagerLondonTo£80,000+BensAn Audit Manager is sought by this leadinginsurance broker to manage their Citybased EMEA internal audit team. Ideallyyou will have an insurance brokingbackground but a wider insurancebackground will also suffice. You musthave managed a team, be CMIIA/CCABqualified and have excellent communicationskills. A second European language ispreferable but not a pre-requisite. Careerdevelopment prospects are excellent.
For further details of positions inFinancial Services contactDavid Jarrold 020 7936 [email protected]
Commerce/Not for Profit
Internal AuditorLondon£30,000+Bens+StudyAn excellent developmental opportunityfor an internal auditor with 1–2 years'experience has arisen within this recentlyestablished infrastructure group. Workingclosely with the Head of Internal Audit in anewly created audit function, you will assistwith all aspects of the audit plan, fromfieldwork to presenting to stakeholders. Thegroup is offering a full study package andwill seek to develop your skills as youprogress within the business.
Lead Auditor – UKBerkshire£65,000+BensThis leading telecommunications Plc islooking to further strengthen their internalaudit function and is seeking anexperienced and qualified internal auditor.This is an excellent opportunity to gaincommercial audit experience. You will beexpected to complete a variety of reviewstogether with unique ad-hoc projects. Thisrole should be a platform for developmentwithin the group either in audit oroperational management.
Senior Internal AuditorLondon / Regional Base£45–50,000+BensThis diverse FTSE100 group is seeking torecruit a CMIIA or CCAB qualified seniorinternal auditor to work within a well-respected business unit of an internationallyrecognised brand. You must have at leastthree years internal audit experience,ideally with a commercial environment andhave the ability to travel 10–20% annually.This is a progressive opportunity and canbe based in either London, Birmingham,Reading or Newcastle.
Sen. Int. Auditor/Ass’t Mngr.Varied Locations£40–47,000+BensThis Top 10 practice is undertaking arecruitment drive within their internal auditdivision. Opportunities exist to work acrossclients within the commercial, financial andpublic sectors. These roles provideexcellent career development opportunities.You must be studying or have completedyour CMIIA qualification. Full study supportis available together with refunds to currentemployers. Opportunities exist in London,Birmingham, Manchester and Southampton.
For further details of Commercial/Not for Profit positions contactSteve Driver 020 7936 [email protected]
Audit
Risk
Compliance
Security
Legal
Treasury
London
New York
Dubai
Hong Kong
Singapore
Barclay SimpsonBridewell Gate9 Bridewell PlaceLondonEC4V 6AW
020 7936 2601
Audit&Risk-DPS-Nov15:DPS 15/10/15 14:55 Page 1
t
Visitwwwwww..bbaarrccllaayyssiimmppssoonn..ccoommto access a vast range of freeonline resources…
• Search hundreds of audit vacancies• Find your current market value• Information on where best to live
and work• Focus on Computer Audit• Latest information on qualifications
Barclay Simpson hasbeen awarded theDiversity AssuredRecruiter accreditationunder the REC’s‘Diversity Initiative’.
For more details visit:www.barclaysimpson.com/equalopps
IT Audit
IT Audit ManagerLondonTo£60,000+Bens A commercially minded IT Auditprofessional is sought for this US listedluxury travel group. Reporting to theDirector of Internal Audit you will takeresponsibility for the IT audit plan whichincludes managing the IT SOx programme.This is a unique role which requires up to40% overseas travel and could require youto spend 2–3 weeks away. However, all airtravel is business class and you will stayin some of the finest hotels in the world.
Senior IT AuditorHampshireTo£65,000+BensAn experienced financial services ITauditor is sought by this internationalinvestment, savings, insurance and bankinggroup. Reporting to the IT Audit Lead youwill manage the delivery of both applicationcontrols and core infrastructure reviews. Inaddition to providing technical expertise onreviews you will also manage relationshipswith IT stakeholders and prepare valueadding reports that help the groupeffectively manage the IT landscape.
Senior IT AuditorGlasgow To£60,000+BensThis growing banking group is committedto expanding its IT internal audit coverageand is keen to recruit an auditor who canwork effectively with stakeholders acrossIT, change and the 1st and 2nd line ofdefence teams. You will deliver end to endaudit assignments and present yourfindings to senior management. Futureprogression into roles outside of audit willbe encouraged making this an interestingoption for both now and the future.
For further details of positions in IT Audit contact Daniel Flynn 020 7936 [email protected]
International
Senior Internal AuditorParis 55,000+Bens
This is an excellent opportunity to developyour career working within the wellrespected internal audit division of aprestigious global manufacturing group.The work is interesting and challenging andtypically after 18–24 months you will beexpected to transfer into other areas of thebusiness. Historically these moves are intosenior financial or commercial positions inParis or across Europe. Expect up to 40%international travel.
Internal Audit DirectorNew York$ExcellentAn Audit Director is sought to build a new FXaudit function for our client, a successful USbank. The function will provide additionaloversight in North America in line withenhanced regulations. The role will overseethe growth of this team, including liaisingwith senior stakeholders, recruiting theteam, formulating the strategic audit plan,and supporting the Global Audit MD. Youmust be an established audit leader withexposure to FX products.
Senior Audit ConsultantSaudi ArabiaTo£180,000 Tax FreeOur client is a major regional bank. This role has been established to support theAudit Director in the general management of the department and particularly as theyimplement a major audit transformationprogramme. You will assist audit functionheads in planning, resourcing and teamdevelopment. Previous senior bank auditmanagement experience gained in asuccessful internal audit team in aninternational bank is required.
For further details of International positions contact Tim Sandwell020 7936 [email protected]
Compensation and MarketTrends Report 2015Compensation and MarketTrends Report 2015
• Includes results of 2015compensation survey
• Up to date overview of the internal audit recruitment market
• Sector analysis• Trends in salaries and other benefits paid to internal auditors
• Salary guide
Download your free copy at: www.barclaysimpson.com
Nationwide Interim Opportunities
Barclay Simpson Interim Solutions is the leading provider of interim recruitment services to the internal audit profession. For more information on these and many other opportunities, please contact Andrew Whyte [email protected]
www.barclaysimpson.com/interimsolutions
Yorkshire Fixed Income Auditor Investment Banking to £650 per dayLondon Head of Internal Audit Asset Management £excellentEssex Director of Assurance Commerce £excellentEssex Internal Audit Manager Commerce to £400 per dayThames Valley Forensic Auditor Public Sector to £250 per dayLondon Senior Auditor Commerce to £50,000 pro-rataGlasgow IT Audit Consultant Banking to £600 per dayLondon Third Parties Auditor Investment Banking to £800 per dayLondon IT Audit Manager Financial Services to £75,000 pro-rataSouth-East Ops Risk Manager Asset Management to £600 per day
Audit&Risk-DPS-Nov15:DPS 15/10/15 14:56 Page 2
corporate governance recruitment
Barclay SimpsonBridewell Gate9 Bridewell PlaceLondon EC4V 6AW
020 7936 2601 www.barclaysimpson.com
The Global Fund partnership mobilizes and invests nearly US$4 billion a year to support programsrun by country and community experts to defeat AIDS, tuberculosis and malaria. Since 2002,Global Fund investments have saved 17 million lives with a further 5 million expected by the endof 2016. The Global Fund’s Office of the Inspector General plays a key role in safeguarding theseinvestments through internal auditing, investigations and consultancy work.
The Office of the Inspector General is recruiting enthusiastic and skilled audit professionals to join a young,rapidly growing and culturally rich team. We’re looking not only for highly competent individuals but alsocandidates who can demonstrate their ability to build and develop trust and confidence, who can managedifficult conversations, who are culturally sensitive, effective in diverse environments and who caninfluence and negotiate positive outcomes.
With multiple audit requirements across finance, grant management, supply chain, procurement,governance and human rights departments, to name but a few, your experience could be as varied asthe people we employ. In addition to English and French at least 20 other languages are spoken in theOffice of the Inspector General. Based in Geneva, Switzerland, your work could take you to any one of the140 countries in which the Global Fund invests to help us defeat the world’s three deadliest diseases.
For further details and to apply please contact Dan Flynn at: [email protected]
Audit Managers – Lead Auditors – AuditorsBased Geneva (Relocation assistance available)Tax Free CHF Salary plus comprehensive benefits
Audit&Risk-BP-GlobalFund-Nov15:Audit&Risk-BP MI5-Feb12 15/10/15 14:39 Page 1