Issue 26 November/December 2015

The magazine of the Chartered Institute of Internal Auditors

ull ce
f
useren
Pln
f 15
o
C 20view
re

Fresh fields: why

Madina Bazarova
moved to Malaysia
to audit agricultural
development projects

Plus: IA and the company secretary; building an audit team from scratch

BUSINE
IN

BHBi CE
SS

RATING
LEB

10

YEAR
S
TEN
CELLEN
F EX

10

NAL AUD
TER

BHBi IN
CE

ENTRE O
IT C
39752 BHBi Internal Auditing Ad 255x205.indd 1

19/08/2015 17:21

Contents
14

Issue 26 November/December 2015

The magazine of the Chartered Institute of Internal Auditors

22

ll e
c
s fu
ren
Plu
nfe 15
Co 20view
re

Fresh fields: why

Madina Bazarova
moved to Malaysia
to audit agricultural
development projects

Plus: IA and the company secretary; building an audit team from scratch

18
Published for the Chartered
Institute of Internal Auditors
byCaspian Media Ltd,
Unit G4, Harbour Yard, Chelsea
Harbour, London SW10 0XD
020 7045 7500
Editors
Keith Ryan
keith.ryan@caspianmedia.com
020 7045 7543

Front

Features

3 The institute view

14 Global challenges

From the chief executive,

Ian Peters.

5 World view
From Richard F Chambers,
IIA Global president
andCEO.

7 View from the top

From Karen Bassett, chief
internal auditor at Leeds
Building Society.

8 Update
The latest news affecting
the profession.

An interview with Madina

Bazarova, associate director
of the internal audit unit
Asia at CGIAR.

18 Sowing a seed
Meet four people who set
up an internal audit team
from scratch.

22 Value pool
How United Utilities
benefited from its recent
Chartered IIA EQA.

26 Common cause

A round-up of the
institutes recent event.

Why the company secretary

could be a useful ally for
heads of internal audit.

12 Reportage

30 Out of sight

10 Conference

The Chartered IIAs latest

governance and risk report.

Member
matters
33 You asked us
Your questions answered.

34 Institute update
Institute news and
membership matters.

36 Tools for the job

What is risk-based
internal auditing?

38 Student noticeboard
Essential information
for exam candidates.

41 Courses
Key dates for your diary.

42 Events
Whats on across the UK
and beyond.

Outsourcing is on the rise

but risks remain.

We post more news and articles online every week.

To access these, visit www.auditandrisk.org.uk

Brendan Scott
brendan.scott@caspianmedia.com
020 7045 7572
Chartered Institute
of Internal Auditors
info@iia.org.uk
www.iia.org.uk
020 7498 0101
Subscriptions
membership@iia.org.uk
020 7498 0101
Advertising
Ian Mehrer
ian.mehrer@caspianmedia.com
020 7045 7596
Creative director
Nick Dixon
Opinions expressed by
contributors are their own.
Reproduction in whole or in
part without written permission
is strictly prohibited.
ISSN 2048-8408.

TeamMate

Ecosystem for Assurance

Audit

Controls
Analytics
To achieve new heights, finding the right balance of audit tools is essential.
Only TeamMate offers an integrated set of solutions that include the industrys
leading audit management system, an innovative controls management
system and powerful data analytics.
TeamMate AM

TeamMate CM

TeamMate Analytics

Learn more at: TeamMateSolutions.com

Copyright 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946

TeamMate Ecosystem advert UK.indd 1

03/02/2015 11:04:42

View from the institute

Outsourcing auditing contracts

At the heart of outsourcing lies the formal relationship between
the commissioning organisation and the supplier. Internal audit
can provide assurance at each stage of the procurement process.
Ian Peters, chief executive of the Chartered IIA.
Ever since Adam Smith observed the
invisible hand at work, companies have
tried to exploit every competitive advantage
available to boost profits and increase
shareholder value. In the early 20th century
this impulse drove firms to house all aspects
of production and management under one
roof. These massive integrated companies,
symbolised by multinational oil firms such as
BP, eventually became too large and unwieldy
to compete in the global marketplace.
Outsourcing was born. Our new report looks
at what role internal audit can play in
providing assurance on outsourced services.
Today it is not only private companies that
seek to outsource services to other firms.The
UK government doubled the amount it spent
on outsourced services between 2010 and 2014
to around 90bn. However, commissioning
organisations have found that, although a
range of services can be outsourced, from
production to IT support, some risks
especially to their reputations still remain.
You cant completely outsource risk.
There are numerous examples of
organisations that have not adequately
managed risk to their reputation inherent in
their agreements with suppliers.The UK
government has suffered reputational
damage from problems with suppliers, for
example with G4S during the 2012 Olympics
and with Atos for the Department for Work
and Pensions work capability assessments.

The slew of companies that have been

criticised for employing suppliers with
poor worker conditions includes the
worlds largest company (by market
capitalisation), Apple.
Firms can be engaged in complex
supply networks that span
continents. But at the heart of any
outsourcing activity lies the formal
relationship between the
commissioning organisation and
the supplier. Internal audit can
provide an advisory service and
independent assurance at each stage of
the procurement process. Internal
audits role will depend on the perceived
risk it presents to the organisation, the
boards risk appetite and the cost and
complexity of the outsourced service.
Internal audit should be involved as
early as possible in an organisations
procurement cycle.The organisation should
use a recognised process to complete a
feasibility study to show that there is a clear
business case aligned to the strategic
objectives of the organisation. Where this
process is absent, internal audit can work in
an advisory capacity to help establish an
effective framework.
Internal audit can review the
organisations tendering and supplier
selection process, assuring the board that
they have adequate and effective policies in

Organisations have found that,

although a range of services can be
outsourced, some risks especially to
their reputations still remain.

place to choose the right

supplier. So-called right
to audit clauses ensure
that evaluation and
monitoring of the
third-party provider can
take place. As the contract
is drafted, internal
audit can examine
the performance
management
arrangements in place
and advise on whether
they are appropriate.
Auditors can also work
with other assurance
providers such as
operational managers and
compliance professionals to
ensure coordination and that
duplication is avoided.
As part of our research we present case
studies that show how internal audit can get
involved at all stages of the procurement
cycle. We spoke to private companies and
government departments including the BBC,
the Home Office, Crossrail and EDF Energy.
Contracts will occupy more of internal
auditors time as organisations learn the
benefits of receiving independent assurance
on contracts.The institute will follow
developments in this area closely as auditors
get to grips with auditing more complex
outsourcing arrangements.
See feature on page 30.

HAVE YOUR SAY

Post your comments about this
article or any of the issues raised at
www.auditandrisk.org.uk

IIA Partner advertisement

The Battle Continues

Working to
Bridge the Data
Security Chasm
Cybersecurity concerns and discussions
abound in companies today, which are intent
on addressing these issues aggressively. But
are these intentions translating into effective
policies and actions to secure the crown
jewels of organizations? The answers are
mixed, at best, according to Protivitis 2015
IT Security and Privacy Survey.
Tone from the top is a
critical differentiator

Many companies lack an understanding

of their crown jewels
Managements level of understanding
of organizations most sensitive
data and information
2015

2014

2013

Excellent understanding

29%

23%

27%

Good understanding

45%

51%

48%

Limited understanding

16%

22%

22%

Little or no understanding

3%

3%

2%

Dont know

8%

1%

1%

Senior managements level of awareness with regard

to information security exposures

Level of board engagement in information security risks

2015
2014
High level of engagement

28%

30%

Medium level of engagement

32%

41%

Low level of engagement

15%

20%

Dont know

25%

9%

A strong security foundation

must include the right core policies
Large Companies
( $1B)

(1-10 scale where 10 = high level of awareness)

Companies with high board

engagement in
information security

Companies without high

board engagement in
information security

8.6

7.0

There arent high levels of

confidence in ability to
prevent cyberattacks
Level of confidence organization can monitor,
detect and escalate potential security incidents
(1-10 scale where 10 = high level of confidence)

Small Companies
(< $1B)

Companies with high board

engagement in
information security

8.0

Companies without high

board engagement in
information security

Acceptable use policy

82%

72%

Record retention/
destruction policy

80%

71%

Level of confidence organization can prevent an

opportunistic breach caused by a company insider

Data encryption policy

79%

58%

(1-10 scale where 10 = high level of confidence)

Written information
security policy

72%

60%

Social media policy

61%

50%

Companies with
high board
engagement in
information
security

7.7

Companies without
high board
engagement in
information
security

6.1

Companies with
all core
information
security
policies

7.5

6.5

Companies
without all core
information
security
policies

6.1

To learn more, visit Protiviti.com/ITSecuritySurvey.

2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet.
Protiviti is not licensed or registered as a public accounting firm and does not
issue opinions on financial statements or offer attestation services.

Protiviti Advert_Revised_F.indd 1

20/10/2015 16:30

View from IIA Global

Change meeting tomorrows challenges

Internal audit is being asked to support efforts to mitigate risks

from a dizzying array of sources and its response could affect
how the profession evolves.
Richard F Chambers, president and CEO of IIA Global.
We often read about a business, government
or an individual coming to a crossroads.
More often than not, these are overly
dramatic descriptions of some smaller crisis.
However, when it comes to internal audit, we
may truly be at such a junction.
The internal audit profession is in a
period of great change. Businesses
operating in an increasingly dynamic
environment face risks from a dizzying array
of sources old and new, including cyberthreats, privacy concerns and corporate
culture clashes. More than ever, internal
audit is being asked to support efforts to
mitigate these varied risks and its response
could affect how the profession evolves.
The growing list of pressure points poses
serious challenges. It includes the familiar,
such as rising stakeholder expectation; the
anticipated, such as increased regulatory
scrutiny; and unforeseen threats endemic to
a volatile risk landscape.
As with any profession undergoing
change, the challenge is to adapt quickly and
efficiently based on the best information
available at the time. This evolution is likely
to occur at a faster pace than in the past,
which magnifies the importance of having
strong leadership and a clear mission.
Internal audits focus on understanding
and responding to stakeholder needs is not
new. What has changed is the portfolio of
stakeholders, which has grown as internal
audits value has become more apparent.
In addition to the traditional
stakeholders of management and the board,
investors and regulators are increasingly
turning to internal audit to provide assurance
on transparency. Each of these constituencies
has evolving needs to align with risks and
agendas.The challenge for internal audit is to

balance those needs,

especially when
they conflict.
It is vital, then, for
heads of audit
to have clear
communications with
stakeholders,
including formal
and informal
communications
channels to
build rapport.
In concise terms,
boards want no surprises,
management wants
partnering and value for
money, and regulators want
independence and transparency.This
makes it appear to be a simple task.
But meeting stakeholder expectations is
rarely straightforward.

The list of
pressure points
poses serious
challenges.
A recent Common Body of Knowledge
report from the IIA Research Foundation
describes the dilemma financial services
auditors are facing. The report, A Global
View of Financial Services Auditing:
Challenges, Opportunities and the Future,
highlights the difficulty of serving an
expanding list of stakeholders and the
corresponding scope of work. It appears
the caveat about being careful what you

ask for has become reality for many,

bringing with it both opportunities and
challenges, says the report. CAEs are
finding themselves in the middle of
almost every problem imaginable.
Limited resources are being stretched
to meet stakeholder needs, and to
develop the new skill sets required
for the expanded scope of work.
Added to this are the increasing
responsibilities for internal
audit on regulatory issues.
A looming labour shortage in
the profession completes a sobering
picture as we head into 2016. But it seems
appropriate that we face such challenges in
IIA Globals 75th anniversary year. If we are
to thrive in this landscape, we must rely on
the IIAs principles and standards.
I mentioned earlier the need for strong
leadership and a clear mission. The IIAs
revised International Professional Practices
Framework (IPPF) offers the guidance we
need. It may be tempting to seek answers
in new approaches and I encourage
practitioners to do so but we must remain
grounded in the IPPF.
Despite these growing challenges, I
approach the coming year with optimism
and energy. Our profession has never shied
away from doing the hard work and using
creativity, ingenuity and determination to
meet our challenges head-on.

For further information

Richard F Chambers writes a blog
at iaonline.theiia.org/Richard-Chambers
and tweets at www.twitter.com/
rfchambers. His award-winning book,
Lessons Learned on the Audit Trail, is
available at www.theiia.org/bookstore.

Prepare to be amazed
An advanced risk and audit
management
solution for
only 200

The Total Risk, Audit and Compliance Software solution

Symbiant is a modular solution that allows the whole workforce to collaborate on

Audit, Risk and Compliance issues with prices starting at only 200 per month.
Incident Reporting, Risk Registers, Action Tracking, Control Failure Simulation, Capital Adequacy and
Stress Testing, Document Management, Control Self Assessment, Risk Workshops, Audit Panning,
Audit Questionnaires, Working Papers, Info Graphics, Dashboards and more.

To find out more or to arrange a free trial visit:

www.symbiant.uk

Trusted by names you know from charities to banks, government to PLC.

16
D WINNING SOFTWARE
OF AWAR

View from the top

Relationships does integrity trump trust?

We know how effective business relationships can be once we

establish trust and credibility. So at what point should we refuse
to compromise, even if it means that a relationship suffers?
Karen Bassett, chief internal auditor, Leeds Building Society.

Internal audit puts a lot of effort and

resources into being a trusted business
partner and this involves nurturing
relationships with stakeholders to ensure
that we are in the know. We need to be
credible and able to land issues and agree
audit actions smoothly, without creating
last-minute surprises. All this depends on
building up trust between the audit team
and business managers.
Agreeing and finalising audit reports can
often involve a compromise over position or
semantics. At times we need to collaborate
with management to find a middle ground to
establish business ownership and
accountability for improvements to the
control environment. The internal audit
profession has come a long way over the
years, establishing these relationships and
developing its people to be good at
stakeholder management. Personal
development plans now place as much
emphasis on the soft skills of influencing,
communication and negotiating skills as
they do on technical skills, and for good
reason. We know how effective these
relationships can be once we have
established trust and credibility.
So at what point should we tip the
balance and refuse to compromise, even if it
means that this relationship suffers?
In the wake of the banking crisis and the
casualties that followed, I am sure that all

internal auditors occasionally

winced while reading some of
the reports from the various
investigations questioning
the effectiveness of the
three lines of defence
and the role of
internal audit. We
have to be the
independent
challenger, the
conscience of the
board, judge and
guardian of the
control environment, the
all-seeing eyes and white knights of truth,
however unpalatable that might be to the
business. Our integrity must be beyond
doubt, otherwise we are part of the problem.
Of course we all say, so whats new?
Maintaining a strong, credible internal audit
function relies on all of the business
knowledge we glean from our hard-won
relationships to ensure that any challenges
we make are proportionate and our calls for
improvement are pragmatic. We need to
balance these skills, now more than ever,
with sound judgment and the courage to
challenge and disagree when under
pressure. We need to display confidence in
our understanding of the issues and
in our credibility when communicating
our findings.

Deciding whether to challenge

the business is our call and that
can put us in a lonely place.

At the end of the day

deciding whether to challenge
the business is our call and
that can put us in a lonely
place. At such times,
being able to depend on
the support of our
peers in the
profession and of
independent
non-executive
directors on our boards,
as well as the various
Chartered IIA advisory
groups and networking
events, has never been more
important or more welcome. It has helped me
to stand back and understand context.
The test of our skill, then, is the strength
of the relationships we have built over time,
after a challenging audit is over. This is the
true measure of our effectiveness we need
to know that as the cycle resumes we can
continue as before in a relationship built on
trust with our integrity intact and the sense
of a job well done.
If anyone thinks the internal audit
profession is dull, invite them to step into our
shoes for a while I can honestly say I have
rarely known a dull moment.

Further information
Karen Bassett is chief internal auditor
at Leeds Building Society and chair of the
IIA Mutual Sector Group Committee. She
was previously chief internal auditor at
Northern Rock/Virgin Money and audit
director at HBOS/Lloyds Banking Group.

Additional news, features

and views are posted online all the
time. Go to www.auditandrisk.org.uk
to see whats new.

UPDATE

We round up the latest business

and regulatory news to affect
the internal audit profession.

EY: organisations need better

risk governance, not more
Big Four firm EY says that there
needs to be a focus on improving
risk governance rather than
recruiting more people to work
in compliance.
EYs paper, called Risk
Governance 2020, says that board
oversight needs to be enhanced,
while organisations also need to

align their culture with their

risk appetite, particularly as
regulators and investors are
pushing for more effective
corporate governance.
To achieve the vision of Risk
Governance 2020, EY says
organisations need to fully embed
risk appetite frameworks,

strengthen risk accountability/the

three lines of defence model,
increase control effectiveness,
enhance risk transparency, have
an integrated talent and
incentives approach, create
stronger board oversight and
have a robust risk culture.
View the paper at bit.ly/1dGVjqi

Lloyds risk model shows

cost of catastrophes
A new catastrophe risk model called GDP@Risk
developed for Lloyds of London, the insurance
market, has found that up to US$4.56trn could be
wiped off the global economy over the next ten
years if the worlds biggest cities are hit by disasters
ranging from market crashes to earthquakes.
The cash figure represents 1.2 per cent of the
total GDP forecast to be generated by these cities in
the next decade, says the research.
The index focuses on 301 of the worlds leading
cities, selected by economic, business and political
importance.These cities are responsible for over
half of global GDP today, and an estimated
two-thirds of the worlds economic output by 2025.

Globally, the index identifies three key

trends. Firstly, emerging economies will
account for the majority share of risk-related
financial losses as a result of their accelerating
economic growth.
Secondly, man-made risks such as market
crashes, power outages and nuclear accidents are
becoming increasingly significant, associated with
almost half the total GDP at risk.
Thirdly, new or emerging threats including
cyber attacks, human pandemics, plant epidemics
and solar storms have a growing impact, and
account for nearly a quarter of total GDP at risk.
For more details see bit.ly/1MGwEkQ

Obituary: Sir
Adrian Cadbury
Sir Adrian Cadbury, author of
the Cadbury Report on
corporate governance (1992),
died on 3 September. He was
86. Cadbury was the grandson
of George Cadbury, founder of
the Cadbury factory and the
model community at
Bournville. He retired as
chairman of the family firm in
1989 and was asked by the
FRC and the Stock Exchange
to chair the committee on
corporate governance, which
recommended clear division
of responsibilities at the
top of firms, the importance
of high-quality nonexecutives and full disclosure
of directors rewards.

ISO standard on
supply chains
The International Standards
Organisation (ISO) has
published a new technical
specification for supply chain
continuity. Called Societal
Security: Business continuity
management systems
Guidelines for supply chain
continuity, the standard ISO/
TS 22318:2015 provides
guidance on methods for
understanding and
extending the principles of
BCM embodied in ISO 22301
and ISO 22313 to the
management of supplier
relationships.
For more information
see bit.ly/1NJpH0N

ASIS and rims

release risk
assessment
standard

DOJ set to take on executives

Following years of criticism that executives at big companies and financial

firms escaped jail in the financial crisis, the US Department of Justice
(DOJ) has issued new policies to bring individual employees to book.
The DOJs approach will put pressure on corporations to turn in
evidence against their executives. Corporations can only commit crimes
through flesh-and-blood people, said Sally Q. Yates, the deputy attorney
general. Its only fair that the people who are responsible for committing
those crimes be held accountable. The public needs to have confidence
that there is one system of justice and it applies equally regardless of
whether that crime occurs on a street corner or in a boardroom.
The new approach means that companies cannot get credit for cooperating with the government (plus smaller fines and a civil settlement)
unless they identify employees and turn over evidence against them,
regardless of their position, status or seniority.
To read the memo visit nyti.ms/1UI5CZd

Institute reveals new FS sector

strategy and conference
The institutes code for effective
internal audit in the financial
services sector is having a
significant impact on how internal
audit is harnessed and positioned in
financial services firms.This brings
new challenges and opportunities
for practitioners and the institute is
launching a new approach to
supporting members in the sector.
A sector advisory panel has been
created, comprising institute
members working in the sector, led

by Gordon Craig, director of internal

audit at 3i.The panel will help to
shape and focus the institutes policy
research and technical guidance
resources in the sector. Sectorspecific resources have been
gathered under a financial services
section on the resources area of
the website.The panel will also
guide the content of events for the
sector, including a new annual
conference for financial services
sector practitioners.

The first annual

conference takes place
on 11 November in London.
Ian Peters, institute CEO, will outline
the new sector strategy and present
the results of a new survey on
internal audits role in conduct risk.
There are plans to include other
key sectors in the sector strategy
in due course.
Full details of the financial services
sector conference can be found at
www.iia.org.uk/bankingconference

ASIS International, a
body aimed at helping
security professionals,
has published a
new standard
developed in
conjunction with RIMS,
the US-based risk
management society.
Called Risk
Assessment ANSI/
ASIS/RIMS RA.1-2015,
the standard provides
guidance on how to
establish a risk
assessment programme
and conduct individual
risk assessments
consistent with
ISO 31000:2009
Risk management
Principles and
guidelines, as well
as the COSO Enterprise
Risk Management
framework.
It also provides
guidance on how
to conduct risk
assessments for risk and
resilience-based
management system
standards for the
disciplines of risk,
resilience, security,
crisis, business
continuity and recovery
management.
For more information
visit bit.ly/1ONO4eP

Greater expectations
Last month, senior practitioners from across the country and sectors gathered for the
Chartered IIAs annual conference 2015, the largest of its kind in the UK. Delegates
from up and down the country and the leading lights of internal audit, governance and
risk management shared their insights into the unprecedented opportunities,
changes and challenges that lie ahead. We have pulled together some of the most
salient themes of this two-day event.

he internal audit profession is

take-on, but wont conduct any ongoing

shortage of emerging talent, rising

being perceived in a very different

due-diligence reviews, said Kevin Brear, a

expectations from stakeholders, the challenge

light these days. Audit

senior manager in business recovery services

of balancing assurance with other services,

committees are expected to

at Grant Thornton. He advised that firms

increasing regulatory scrutiny and the

provide the same checks and assurances as

should be fully aware of technology

growing complexity of technology risks.This

ever, but their purview is expanding just as

developments, ensure they have the correct

means that delivering value is becoming more

new risks emerge. Ian Peters, CEO of the

blends of skill sets and people, share lessons

challenging, particularly as the internal

Chartered IIA, told the audience at the

from breaches and information on emerging

auditors focus is being pulled in all directions

institutes conference last month that internal

risks, and develop practices quickly as

to align with evolving and emerging risks.

auditors are no longer box tickers helping to

prevailing risks emerge.

improve governance with hindsight. Instead, it

10

The evolution of the internal auditors scope

Encouragingly, internal auditors are keeping

abreast of this ever-changing pool of potential

is important to anticipate risks and ensure that

and responsibilities was also emphasised by

threats. According to a survey carried out by IIA

they are mitigated in advance.

Mike Wilson, partner, and Sameena Arshad,

Globals Research Foundation this year, 91 per

director, internal audit risk and compliance at

cent conduct a risk assessment and 85 per cent

associated with outsourcing, to auditing

KPMG. In its infancy, the role of the internal

use a risk-based methodology for the plan.

corporate culture and businesses strategic

auditor was to ensure compliance with

However, 32 per cent assess emerging risks

risk, organisations expectations of their

policies, procedures, laws and regulations. As

only once a year and 65 per cent update their

internal audit teams continue to grow.

The skills required

to look at risk
culture need to be
an extension of the
core capabilities
of internal audit.

plan no more than twice a year. Chambers

From cyber security threats and the risks

Internal audit is the only function that has a

view across an organisation and can provide
assurance on information from disparate
sources, Peters told a packed auditorium. In
addition to the strategic advisory role, we have
seen internal auditors focusing on areas that
were not on our radars until recently.
Developing appropriate assurances for

told the audience that if internal auditors are

to be fully effective they must audit at the
speed of risk.
Today, internal auditors are expected to
scrutinise factors that are far softer than
financial reports. Improper corporate culture
can be the undoing of a company and it is
increasingly the internal auditors job to

cyber security has been one of the audit

the profession matured, it grew to encompass

monitor this intangible yet crucial feature of

committees greatest challenges in recent

reviewing the efficacy of those policies and

every business. Sir Gerry Grimstone, chairman

years. As budgets are cut, particularly in the

controls and the adequacy of responses to

of Standard Life, said culture is far more

public sector, there has also been an emphasis

emerging risks. More recently, internal

difficult to audit than a balance sheet.

on outsourcing, with all the risks associated

auditors have come to enhance value rather

The challenge for internal audit is how to

with hiring third parties. In many cases, the

than simply to preserve it, they said.This has

do this, how to move into these softer areas

two converge as companies increasingly

meant offering more than core assurance, but

and whether it has the skills to do so. But

adopt cloud services and this is often where a

also contributing to business performance and

I do believe the skills required to look at

companys greatest vulnerabilities are found.

offering strategic support with a more

risk culture need to be an extension of the

consultative approach.

core capabilities of internal audit and, in

It never ceases to amaze me, from all of the

organisations I speak to, just how many are

Richard Chambers, president and CEO of

particular, your ability to intelligently and

weak on this.They havent sorted out the

IIA Global, explained that the profession is

robustly challenge and most importantly to

criticality of third parties. Some do reviews at

facing pressure from all angles, including a

anticipate, he said.

 Internal audit is the only

function that has a view across
an organisation and can provide
assurance on information from
disparate sources.
Ian Peters, CEO of the Chartered IIA

Andrew Fitzmaurice, chief executive at Templar Executives,

speaks about need for cyber resilience in the UK.

Richard Chambers,
president and CEO
of IIA Global, told
the audience that if
internal auditors are
to be fully effective
they must audit at
the speed of risk.

The challenge
for internal audit
is how to move
into these softer
areas and
whether it has
the skills to do so.
Sir Gerry Grimstone,
chair of Standard Life

Alistair Smith, internal audit risk

and control director at EDF Energy,
discusses what good risk
management looks like today.

11

REPORTAGE

Each year the Chartered IIA conducts research among heads of internal
audit to find out what internal auditors are really doing in their dayto-day jobs, whats happening to their budgets and what risks are
highest on the teams radar. Here are the results of this years survey.

12

Which of the following services in addition to risk-related roles does internal

audit provide your board/board committee? (check all that apply)
Conduct confidential investigations, such as fraud
84%
Provide views on the performance of management in relation to controls or the adequacy of corrective actions 77%
Provide an annual opinion on the adequacy of the organisations system of internal controls
73%
Offer concrete proposals on improving internal controls
71%
Conduct governance reviews
61%
Act as a channel for whistleblowing
52%
Manage co-sourcing of internal audit functions
49%
Provide input on the evaluation of the external auditors performance
31%
Contribute to the induction and/or CPD of board members
28%
Advise the board/committee on reports or information from external parties, such as regulators
26%
Monitor board/committee activities to ensure the committees charter responsibilities are accomplished
23%

Changes to public sector budgets

Local government
Central government
Rest of public sector

Budget increase
14%
16%
27%

No change
39%
58%
50%

Budget decrease
47%
26%
23%

To whom do you report?

Chair of the audit committee
CEO
Other
CFO
Board chair
Chair of other board committee

All
Public
Private sector
sectors sector (non-FS)
69%
43%
72%
12% 32% 2%
8% 11% 6%
7% 10% 12%
4%
4%
7%
1%
0%
2%

000000.00

Out of the list below, which are the top five areas of risk on
which internal audit currently spends most time/effort and
which are the top five risks your organisation is facing?

Time/effort spent

Operational
Adequacy and effectiveness of risk management
Financial reporting and control process
Corporate governance process and structure
Data privacy and security
Regulatory change
IT projects
Fraud
Business continuity
Outsourcing/supply

76%
61%
51%
48%
47%
40%
38%
23%
22%
20%

Risks facing the organisation

48%
36%
21%
26%
43%
49%
35%
16%
16%
16%

Choose the top five competencies you and your team need
to perform your work effectively now and those you will
need in five years time

Communication skills
Problem identification and solution skills
Knowledge of industry, regulatory and standards changes
Business/commercial acumen
People management skills
IT/ICT frameworks, tools and techniques
Change management skills
Conflict resolution/negotiation skills
Ability to promote value of internal audit
Accountancy frameworks, tools and techniques
Organisational skills

Now
77%
65%
58%
54%
44%
42%
38%
37%
35%
30%
29%

13

Five years time

68%
56%
55%
58%
43%
50%
46%
30%
31%
22%
22%

Can you meet the following without management present?

External audit
CEO
Chair of the audit committee
Chair of the board
Chair of the risk committee
The regulator
Other non-executives

All

95%
92%
89%
71%
50%
46%
29%

Public sector
96%
89%
87%
61%
38%
30%
22%

Private sector
95%
93%
93%
70%
35%
32%
25%

More detailed results can be found at www.iia.org.uk/govandrisk2015

Financial services

95%
96%
90%
75%
82%
75%
36%

14

While much has been written

about the increasingly global
nature of many internal audit roles
(and the value of transferable
qualifications), few UK internal
auditors have a job that is as fully
international as that recently
taken on by Madina Bazarova.
CGIAR is a global consortium of
15 independent research centres
generating agricultural research
to alleviate problems such as
poverty, hunger, malnutrition and
environmental degradation.The
organisation, which has its
headquarters in the French city of
Montpellier, is funded by
governments around the world
and the money is coordinated by
the World Bank.
Bazarovas role as associate
director of CGIARs internal audit
unit Asia, which she began in June
this year, is based in Malaysia, but
she is responsible for putting
together a team that will audit five
research centres based in
Malaysia, Indonesia, Sri Lanka,
the Philippines and India. Not only
are these geographically
scattered, but the research itself is
diverse and, usually, long term.
Bazarovas team is hosted by
one of the research centres
headquartered in Penang called
WorldFish, which strives to
harness the potential of fisheries
and aquaculture to reduce hunger
and poverty. In India the focus of
the research is crops in semi-arid
tropics, while in the Philippines it
is rice and in Indonesia, forest.
Each research centre has very
different needs in terms of
resources and faces varying risks
for example, work in the
Philippines involves hiring local

people to farm large paddy fields

of different types of rice, so
internal audit may need to provide
assurance that these people are
treated according to labour laws
and have adequate health and
safety provisions.
Broader risks that need
constant assurance and
monitoring include funding, fraud
and corruption, cyber crime and
research outcomes. As a qualified
accountant who spent many years
working for Save the Children,
which she joined in 1998,
Bazarova is familiar with many of
the financial pressures facing
third-sector organisations, but
there are also important
differences in her current role.
At CGIAR we have a lot of
stakeholders to satisfy from the
general taxpayers and
governments and traditional
donors to our staff, she says.
Volatility in funding is an issue
for everyone in this sector
because governments change
their priorities year on year and
they own the projects, but
CGIARs work is intellectually
charged: we cant suddenly cut
our spending on commodities,
such as tents, in the way that
Oxfam or Save the Children can.
Our major expense is people
and if we lay off scientists then
we wont get them back and it
could jeopardise a long-term
research programme.
CGIAR cannot, of course,
predict exactly what governments
will choose to do with their money,
although it can follow regular
events such as elections that may
cause a delay to payments or a
change in funding policy. It is also

Global
challenges
Madina Bazarova, associate director
of the internal audit unit Asia at
CGIAR ( The Consultative Group for
International Agricultural Research),
explains why she moved from London to
Malaysia to take up this role and why
soft skills are the key to performing
successful internal audits worldwide.
Words: Ruth Prickett Photographer: Peter Searle

Volatility in funding is an issue because governments change

their priorities year on year and they own the projects.

15

The issues are not just environmental and developmental, but

also ethical and about intellectual property for example,
some projects involve genetically modified crops and different
governments have varying policies on GM.

16

vulnerable to sudden reversals caused

by emergencies and natural disasters.
At the moment European
governments are focusing on the
refugee crisis, but our funding can also
be disrupted by a disaster such as an
earthquake or a tsunami, she explains.
With little room for spending
flexibility, the internal audit team has
to focus on providing assurance that
what she calls the accounting
fundamentals are in place and are
working effectively that is, basic
controls that ensure that the organisation
does not hit cash flow problems that
could have been anticipated.
The job also incorporates personal
challenges for Bazarova. Having worked
at Save the Children in a number of
roles, initially in finance and then in
internal audit, she decided to move
because she wanted new experiences
and felt that it would be good to have a
change. And change is what she got.
She moved from a London-based job in
a huge organisation with a relatively large
internal audit team, where she knew lots of the
key people, to an office in Penang, where her
first task was to build a new internal audit team
and to pick up several months backlog of
audits that had been neglected while the
previous team, based in the Philippines, was
winding down.
Fortunately, she points out, the labour
market in Malaysia is excellent and there
is a Malaysian Institute of Internal Auditors,
so she could look for the right person with
either a local or a global internal auditing
qualification. She is also looking for a
specialist IT auditor who can set up an IT hub
in Penang to drive the consortiums global IT
audit strategy. Its difficult because everyone
is looking for great IT auditors at the
moment, she admits, but Penang is a good
place to search because there are lots of IT
companies here and weve seen some very
good candidates.
Recruitment is a risk for the consortium as
a whole. There is huge competition for the
best scientists and, since we cant pay them

the best salaries in the market, its important

that we can offer them exciting opportunities
to do ground-breaking work that makes a
difference and enables them to publish
interesting findings, Bazarova says. One
relatively new pressure from governments is
assurance that scientific findings are
translated into actions that make a real
difference to peoples lives and this means the
organisation has to focus on forging
partnerships with other charities that can
implement findings on the ground.
Fraud and corruption are a concern for any
organisation spending public money on
global projects. As Bazarova points out,
cultural norms and expectations vary widely
in different countries and its vital that CGIAR
can demonstrate that it makes clear what is
acceptable and unacceptable to people
working at all levels across the consortium.
Scientific fraud is less of a concern, she says,
since prominent scientists sit on the board
and on recruitment panels and review
projects and findings. However, the
organisation is still vulnerable to the

normal types of fraud and corruption

faced by any multinational organisation
working in places where petty pilfering
is widely seen as a perk of the job and
backhanders are too often the way
things are done.
Its important that internal audit
works with strong support from the
board and gets full oversight of what
goes on, Bazarova says. In addition to
scientists, the research centre boards
also include representatives from
governments and senior figures from
commercial banks who bring in their
private-sector expertise.
I generally feed into the boards via
the audit committee and I report to the
audit committee chairs, Bazarova
explains. The audit committees meet
four times a year, twice face to face and
twice by conference call, since members
come from across the world and from a
variety of sectors. This means that all
the members have different
perspectives, which really enriches the
decision-making process, she says. To add to
the complexity, each research centre is
separate with its own research priorities and
projects so each has its own audit committee.
This means Bazarova is attending five such
meetings in October and November.
Im part of a shared internal audit service
across the consortium and the more I learn
about what these organisations do the more
interesting it becomes, she says. The
issues are not just environmental and
developmental, but also ethical and about
intellectual property for example, some
projects involve genetically modified crops
and different governments have varying
debates and policies on GM.
Changes to the consortiums governance
structure and the introduction of a number of
large themed projects spanning scientific
teams in different places are also adding to
Bazarovas work, creating some uncertainty
about internal audits role and more demands
for complex multinational audits.
All the consortiums centres sign up to an
open access policy for their research findings;

17
however, Barazova points out, this can be
complicated when working with third-party
projects and its important that all the
organisations understand the legal situation
and what they can and cant publish or do.
Im currently going through the risk
registers for each of the organisations Im
responsible for and identifying which risks
have remained constant and whether there
are new and emerging ones that we should
be auditing, she says. Apart from anything
else, I have to consider the risks to this audit
function we are a shared service and if we
are not providing what these organisations
need they can go elsewhere.This is very
different from my last job. It feels far more as
if I am a consultant.
This, she adds, has stretched her soft
skills and has certainly provided her with the
new experiences and developmental
opportunities she was looking for when she
left Save the Children. Now more than ever,
she says, its vital for her to build
relationships and communicate what internal
audit is trying to achieve, how it intends to do
it and the benefits it provides.

CGIAR
is a global

consortium of 15
independent research
centres generating
agricultural research
to alleviate problems
such as poverty,
hunger, malnutrition
and environmental
degradation.

What attracted me to internal audit in the

first place was that you get exposure to
different areas of activity and different
functions, which is great for learning, she
says, although she admits that she can find it
frustrating not to be responsible for putting
recommendations into practice.
However, developing the right soft skills to
influence and persuade people to implement
the required changes effectively is both vital
and rewarding. Bazarova had plenty of

experience working overseas for Save the

Children she visited over 50 countries
during her time at the charity but a new
place still presents new issues.
I wasnt born with soft skills and finding
the right way to approach things, especially
in a new country and culture, involves a long
process of trying things out and seeing what
works best, she says. You even have to be
careful about what you say and how you
say it when youre socialising outside work
the jokes you make and light-hearted
comments could affect how you come across.
One board member told me about a terrible
experience hed had with an internal auditor
20 years ago and it clearly still affected his
view of internal audit.
At the same time, she adds, internal audit
has to be prepared to stand up, be critical and,
sometimes, persuade people to change set
ways. We talk about protecting and
enhancing organisational value, but you cant
do this without soft skills, she says. If youve
got great technical skills but no soft skills and
people dont follow your advice then youve
only done half of your job.

sowing
a seed
18

teve Powell is both head of

group audit at specialist
lender Paragon Group and
head of internal audit at its
new banking subsidiary,
Paragon Bank. Over his
career working as an
in-house head of audit and
as an outsourced provider
of internal audit services to
new businesses, Powell has
set up five different teams.
He has worked in a broad
range of sectors including
financial services,
manufacturing and
pharmaceuticals, and
believes that it is a lot easier
to build something credible
from scratch if you have
a depth of multi-sectoral
experience to draw on.

In particular, he recounts
setting up an internal audit
function from scratch in a
large international
manufacturing group. He
was new to the business so
made it his mission to
introduce himself to all the
key stakeholders and
understand what they did.
He also had to educate them
about what internal audit
was going to do. I think
even today, people think
you are there to find fault,
he says. I wanted to make
it clear that wasnt the
objective.You need to really
emphasise the benefits.
At Paragon, the groups
internal audit team also
provides internal audit
services to the bank, so the
team wasnt built from
scratch. Nevertheless,
Powell had to assess the
knowledge and skills gaps
that existed for the new
business and plan how to
fill them.The group teams
only real deficit was on the
regulatory side, so he

recruited some experienced

people and also co-sourced
some of the planned review
work. We could see a
mutual benefit from
bringing in external
technical expertise to work
with our own team so we
could learn from each
other, he explains.
He believes the key to
success is to engage with
stakeholders and to nurture
those relationships. If you
can genuinely understand
the organisation and make
sure that the board and
directors are on your side
you can engage everybody
with what youre trying
to achieve and really make
it work.

Auditing the NHS

Simon Gascoigne CMIIA is
deputy director of 360
Assurance a subsidiary of
Leicestershire Partnership
NHS Trust which provides
internal audit services to
around 35 NHS trusts and
clinical commissioning

Heads of internal
audit usually join
an established
team, but they
are occasionally
invited to set up
a function from
scratch. When
this opportunity
comes along, what
are the keys to
success and the
challenges? To
find out we asked
four HIAs with
experience of
putting new
internal audit
teams together
to share their
knowledge and
experience of
how its done.
Words: Wilma Tulloch

If you can genuinely understand the organisation and ensure that

the board and directors are on your side, you can engage everybody
with what youre trying to achieve and really make it work.

19

If people dont accept your findings youve got to build that

relationship until they know your work is good enough and credible
enough that they can see the value in what you say.

20

groups. As the NHS has changed

over the years, 360 Assurances
services have come under
commercial pressure.This led
Gascoigne and his colleagues to
think about how they could
differentiate the way they offered
internal audit services.
At the same time, 360
Assurance recognised that in an
increasingly clinician-led NHS, its
audit teams were made up of
auditors and accountants. After
extensive discussions with
customers around what they
wanted and needed, it set up a
new internal audit function
which for the first time included
clinicians.This tipped the focus of
audits away from the financial
and towards the operational.
Gascoigne recalls that taking
the plunge to employ the first
non-auditor was his biggest
challenge. Subsequently, the
introduction of the new Clinical
Quality Audit Team has gone
well. Now in its third year, the
team can hardly grow fast
enough to meet demand.
However, like Powell, Gascoigne
found that there can still be
resistance to internal audit so an
important component was to
sell the new team. Having
clinicians on the audit team has
been a big help with this. If your
customer is a medical director
you get far more credibility if you
are a clinician yourself, he says.
But it is about how you
position internal audit as well,
he adds. We have worked very
hard at how internal audit is seen.
We aim to get the client on board
so that they agree there is always

room to improve, and that it is

beneficial to work in partnership
to identify where those
improvements are. Its about how
we can help the organisation to
achieve its strategic objectives
and build mutual trust and an
understanding that we are all
trying to get to the same place.

Corporate focus for NZFS

UK member Caroline Steele CFIIA
has built a new internal audit
function for the New Zealand Fire
Service (NZFS). Before she
joined, a review indicated that a
more corporate-focused audit
team was needed. Steele, the
NZFSs internal audit manager,
began by holding conversations
with senior managers and new
colleagues, and combing through
documents on governance,
business planning and risk to
build a picture of the organisation
and its risks.
Her next step was to put
together an audit plan.This drew
partly on her experience of
typical audits, but she also
considered the aspects unique to
the fire service. Steeles plan
indicated how many days of
audit work each year the audits
would take with different
numbers of auditors. Once the
plan was accepted, she was able
to go out and hire her team.
She also tackled what she calls
the argumentative tension
that existed between internal
audit and management. I picked
up previous audit reports.
Management would disagree,
then internal audit would say,
no youre wrong. I didnt think

Ten tips for

creating an
internal audit
function

1
2

Engage with all your

stakeholders and continually
nurture those relationships.
Position your team
as one that will help the
organisation to achieve its
strategic objectives.
Establish and clearly
communicate the vision and
culture of your audit team.
Where appropriate, pull
individuals from the
business into guest auditor
roles this accelerates the
teams acceptance in the
business and brings in vital
business knowledge.
Seek information and advice
from professional bodies,
especially the Chartered IIA.
Use audit planning and
benchmarking data to shape
the team.
Design roles carefully to
attract the right people.
Be forward-looking for
example, try to anticipate the
strains that rapid growth might
put on your organisation.
Understand in the broadest
sense what the organisation
needs from internal audit for
instance, think about what every
member of the board could want
from your team.
Work with the organisation,
but remain a critical friend.

3
4
5
6
7
8

10

that kind of back-and-forth

process added value for
anybody, she says.
If people dont accept your
findings youve got to build that
relationship until they know your
work is good enough and credible
enough that they can see the value
in what you say. Its about bringing
people round to thinking, actually,
its good to be challenged and to
have someone taking an
independent look at things.
Steele concludes that the key
to success has been getting the
right people on board. Its their
efforts day to day that have
built the reputation of our team,
she notes. In addition, she
believes its crucial to nurture
relationships with the CEO and
the audit committee.
That gives you a voice at a
very senior level and credibility.
Although, she adds, you have
to deliver the quality of work that
they want, which is about having
the right people.

A team from scratch at TSB

Rosemary Hilary is the chief audit
officer at TSB Bank. She joined in
October 2013, just weeks after it
was re-created as a standalone
bank by transferring millions of
customers out of the Lloyds
Banking Group (a condition of
Lloyds taking state aid during the
banking crisis). She built the
banks internal audit team almost
from scratch, but it was not a new
experience, since shed
previously built a team at the
Financial Services Authority.
Hilary says that its essential to
study the business you are in

21

before you can form a new

internal audit team inTSBs
case, this meant its past, present
and future. She then set about
creating an audit strategy and
universe: What were the key
risks and how we would go about
having a strategy to audit them.
She produced a menu of options
so that the executive committee
could have a really good quality
conversation around what we
could do with different levels of
resource. Those discussions
established the headcount and
budget for the new team.
Hilary also saw it as vital to
invest in setting the tone of the
type of audit function she
needed. I wanted to set out my
vision, she says, which is to
have a function that works with
the business so that together we

As the NHS has

changed over
the years, 360
Assurances
services have
come under
commercial
pressure. This
led Gascoigne and
his colleagues
to think about
how they could
differentiate the
way they offered
internal audit
services.

can create the strongest possible

risk management and internal
control system. Of course that
does mean challenging, but its
really important that you are part
of the business and seen to be a
partner. She therefore looked for
people with both the right mix of
skills and experience, and the
ability to contribute to the tone
she wanted to create.
She has three main pieces of
advice for others in her position.
First, it is essential to build good
stakeholder relationships among
business colleagues and with the
audit committee. Second, make
sure the audit plan looks to the
future. Last, create interesting
jobs and career opportunities to
attract and retain a high-quality
team that will deliver value for
the business.

Further
information

The Chartered IIA has produced

guidance on setting up a new
internal audit function and on
models of effective internal
audit. These can be found on the
institute website at www.iia.org.
uk/setupnewia and the models
on effective IA at www.iia.org.
uk/models
Paragon Groups internal
audit team and 360 Assurances
Clinical Quality Audit Team were
named as outstanding teams in
the Audit & Risk Awards 2015,
while the internal audit team at
New Zealand Fire Service was
highly commended.
For more details about this
years awards visit www.
auditandrisk.org.uk/awards

Value pool

When United Utilities recently

underwent a Chartered IIA external
quality assessment, its head of
internal audit and risk was already
quietly confident his team met all
the required professional practice
standards. He explains why it was
feedback on broader processes and
a sense of how the organisation
benchmarked against others that
really added value to the experience.
22

Words: Ruth Prickett

nited Utilities head of internal

audit and risk, Mark Lenton, was
clear about what he wanted from
the internal audit teams recent
external quality assessment (EQA).The
organisation had not had an EQA for five
years before Lenton joined the team and
since then it had gone through substantial
changes to drive improvement and respond
to shifts in both the external regulatory
environment and on the senior management
team, including a new chief financial officer
and chief executive, as well as a new audit
committee chair.
United Utilities provides water and
wastewater services to around seven million
people in north-west England.The sector is
highly regulated and recent changes have
provided both uncertainty and opportunities,
says Lenton. The regulatory focus is now
more on outcomes rather than on inputs and
activities, which leaves the company more
scope to work out how to do the right things,
he explains. Partly as a result of this, and to
improve operational, customer service and
financial performance for key stakeholders,
the company has made a huge number of

internal changes.The need for assurance is

therefore very high and my team and I have to
remain responsive to ensure we focus on the
right things, so its an interesting time to be in
internal audit.
Lenton was confident that his team was
performing well. Ongoing quality assurance
and customer surveys were all positive and
the executive and audit committee had
expressed no particular concerns. However,
he was keen to get external verification and
feedback, as well as believing that an EQA
was necessary if the organisation was to
follow best practice guidelines.
There was no sense that anyone was
dissatisfied with what we do, but its always a
good idea to seek feedback, listen and learn
from others, says Lenton.
The last EQA focused at a more strategic
level, leaving many areas needing detailed
review. It did, however, identify significant
areas for improvement and found that
although the function had good people, it was
perceived as underperforming, lacking focus,
leadership and management, he says. My
focus on joining was to transform it, then
push on to innovate and improve further.

An EQA could be regarded as threatening, but

for me it was an opportunity to showcase what
you do, be challenged and learn from others.

23

View from
Brian May,
audit committee
chair at
United Utilities
The key decision was not
whether to do an EQA, but
who should do it. Mark put
forward the idea of using the
Chartered IIA rather than one
of the Big Four accountancy
firms and we were very
pleased with what this
produced. From my point of
view it wasnt time-consuming
and I had confidence in the
assessor because shes been a
head of internal audit at a FTSE
100 organisation herself. The
feedback was well structured
and was very positive. This
meant there werent any huge
changes recommended, but I
had full confidence in the
assessors opinion and felt it
had gravitas.

The institute offered a choice of credible assessors. This

gave me confidence because if my important stakeholders are
being interviewed, my team and I need to trust the assessor.

To support this, Lenton believes its vital

that he and his team keep up to speed with
wider changes and developments in the
profession. He attends institute update
courses as well as the Chartered IIAs leaders
forum. Staying abreast of what others are
doing (and sharing his own experiences) is,
he says, an essential activity if internal audit
is to remain relevant, valued and credible.
All these factors meant that Lenton was
adamant there was no point doing a tick-box
exercise. An EQA could be regarded as
threatening, but for me it was an opportunity
to showcase what you do, be challenged and
learn from others, he says. Complying with
standards is important, but all good teams
will do this and it doesnt tell you anything
more. It was the opportunity to receive
insight and advice that I welcomed.

24

The perfect match

Lenton knew that he needed to find an EQA
provider that could assess what his team was
doing to the right depth, would answer
questions credibly and would inspire the
respect and attention of his team, the audit
committee and the chief executive. He
considered a range of providers, but was
attracted to the Chartered IIA because he saw
it as independent, credible and with a clear
aim to improve the profession. He also
believed it offered a flexible review, beyond
the standards. He presented options on
providers and discussed these with the
executive directors and audit committee, who
selected the institute and opted for the full
EQA service while using the Chartered IIAs
self-assessment tools to help them prepare.
The institute also offered us a choice of
credible assessors, Lenton adds. This gave
me confidence because if my most important
stakeholders are being interviewed, my team
and I need to trust the assessor.They need to
make the process as engaging, relevant and
rewarding for interviewees as possible; this
means having a conversation at the right
level with the right authority and
understanding the issues to ensure they get
the best response from the interviewee.

It was also helpful, he adds, that they could

tailor the timing of the EQA to fit United
Utilities audit committee schedule.The
process was flexible and the assessor was
both efficient and willing to use a mix of
face-to-face and phone interviews. She also
drafted reports as she went along so Lenton
could give his feedback and she could get
corroboration from other interviewees as the
EQA progressed.This flexible approach
allowed Lenton to request a one-page
executive summary of the findings. Overall,
this meant the final report could be
completed without delay. It was then shared
with the audit committee and executive and,
crucially, the assessor joined them in person
to present her findings.
I really enjoyed the process, Lenton says.
The assessor wasnt shy about saying what
she thought and forming her own views.
Thats what made it valuable. He felt the
report, which was extremely positive, was
balanced and fair and was delighted that the
assessor concluded that the function had

United Utilities
tips for EQA success

Prepare well
give the assessor
all the documents
they need.
Ensure the initial
scope is clear and
agreed internally so
that it adds value to
the organisation and
answers all the
relevant questions.
Make time to get
input from all the
necessary people.
Make sure you get
the right supplier
who can answer
all these
questions
and has the
right level of
credibility.
Get the right
assessor for your
organisation.

Get someone in
the team to
project-manage the
EQA its valuable
experience and an
important role.
Set time aside
to talk to the
assessor. This is
an opportunity for
both parties to
raise questions and
speeds up the final
reporting process.
Use the
experience to
showcase what you
have achieved.
Be prepared
to be
challenged and
to learn from
others and listen and
respond positively to
the findings.

successfully transformed to become a

leading-edge internal audit service, and rated
their new longer-term planning process as a
world-class innovation.
As youd hope, there were no huge
surprises, but internal audit can operate in a
vacuum in terms of receiving direct feedback,
so its great to be told your work is good
quality. It made me even more proud of my
team after all, its not by luck that we got
here, he says.
The EQA also confirmed that the internal
audit team benchmarked favourably with the
IIA Globals maturity model. Lenton
particularly valued comments that said they
were listened to, respected and trusted and
focused on what really matters, as well as
the broader recommendations to support the
teams continuous improvement.
The team was praised for its robust, fully
automated action-tracking processes, and the
way in which these are supported by
networks of audit business partners. Other
areas cited included the dual co-sourcing
approach and the variety of broader
resourcing programmes inviting guest
experts and secondees into internal audit. All
these contributed to the functions strong
reputation in the business, its effectiveness
and the way it co-ordinated assurance,
Lenton says.The various ways in which the
team develops the knowledge and skills of
auditors were also praised.

Looking ahead
The forward-planning process that Lenton and
his team were still developing at the time of
the EQA had been prompted by the increased
need to deliver assurance in a flexible and
efficient way and further enhance its quality.
Lenton was keen to explain to the audit
committee what internal audit could provide
and to find ways to ensure that they could see
what they were getting and to understand
findings. At the same time, he wanted the
broader business to understand better the
purpose and aims of the audit team.
The new process built on what the
organisation had done previously, remaining

risk-based but taking it to a new level.

First they revised the whole audit universe
containing key business processes, systems
and activities, plus the legal and regulatory
issues that they needed to consider.They
sought input from business managers to
validate their own views, note any
forthcoming changes and associated
timescales, and facilitate managements
assessment of key risks.
The team then assessed each area
independently to see whether each
managers view of risk seemed accurate and
to gain a view of the risk maturity of the
manager and the business area.This helped
both validate the audit universe and also gave
the internal auditors further insight into the
organisations risk capabilities.They allocated

scores showing high, medium and low risk to

different parts of the audit universe then used
this information to develop a rolling forecast
of intended audit coverage over five years,
and a more detailed plan of the assurance the
team would provide over the next year.
This is a long-term strategic approach and
were not a slave to saying we have to look at
certain things at pre-set times, Lenton
explains. We can vary the nature, breadth and
depth of activities as well as the frequency.
The real innovation and step-change in the
approach was in developing a framework to
allocate better the level and type of
assurance activity that they felt was
necessary and how often this should be
performed.To support this, three types or
intensity of audit activity were defined: a

basic level comprising a tailored selfassessment form completed by the manager

and then followed up by internal audit; an
intermediate review that considers the
design effectiveness of existing controls; and
a deep dive a more traditional end-to-end
review of key processes and controls.
Each audit type has a defined list of the
activities involved and a corresponding
resource allocation that are fed back into the
plan.The approach enables the team to flex
their rolling plan depending on findings, move
and adapt the audits they do, and ensure they
have the right resources and can respond to
developments. It also gives them an overview
of the areas that have been audited, to what
level and on what dates as well as
highlighting any areas with lower coverage.
Lenton says this approach is useful because
he can say to management I can do x number
of audits at this intensity level with these
resources. If you need more then we will need
more support. It also means he can better
explain to managers why they are or are not
auditing a specific area that year. For example,
if part of the business is about to implement a
new IT system or undergo another significant
change, Lenton and his team can defer an
activity or change the audit type, scope and
timing to keep the assurance relevant.
It allows a more informed, intelligent
conversation about plans, he says. But it
also means that we can stay flexible, while
knowing that important changes are factored
in and we wont miss anything. We can
constantly feed back new findings from
conversations with managers.
It hasnt massively changed what we do
or how we do it, but it gives us an extra layer
of detail and were more confident about the
underlying science.The transparency gives
other people more confidence in what were
doing too.
United Utilities was the winner of the
2015 Audit & Risk Award for Outstanding
Team Private Sector. For more details see
www.auditandrisk.org.uk/awards
Find out more information about the
institutes EQA service at www.iia.org.uk/eqa

25

Common cause

26

The relationship
between internal
audit and different
senior managers
varies from
organisation to
organisation, but
the company
secretary should
be seen as a close
ally in most not
least because the
two roles share
many common
characteristics.
So how can this
work in practice?
Words: Neil Hodge

uilding strong relationships

with management while
maintaining independence
can be a tricky balancing
act for internal auditors. Audit
heads need to have a clear understanding of
what directors are thinking in order to
support them and provide them with useful
information, which is something they have
in common with the company secretary.
While speaking to the CEO is ultimately
preferable, and the finance director a strong
second (although there are issues about
how often audit heads should report to the
FD, as well as the topics they should
discuss), the company secretary may be
able to provide guidance on risk, compliance
and control issues more freely because they
are required to focus on these areas.
The roles of head of internal audit and
company secretary have a lot in common.
For example, company secretaries often sit
on the audit and risk committee, compile
their agendas, look at internal audit reports
and check the financial statements from
external auditors.
Peter Swabey, policy and research
director at the Institute of Chartered
Secretaries and Administrators (ICSA),
says this is why there is already a close
working relationship between the two
professions both jobs require the same
kind of approach.
The role of the company secretary
should be to appraise the boards strategic
business objectives and to see how these
can be achieved ethically and legally.
Internal audits role is to see whether the
organisations processes can be relied
upon to deliver these objectives, he says.
Internal auditors and company
secretaries have distinct roles that no one
else in the organisation shares, he adds.
While both professions are there to

support management, they also have a

strong role in providing an independent
challenge to management and the
executive, which puts them at risk of
being labelled business prevention
officers, he says.
Company secretaries should
usually report to the board chair,
although many report to the CEO
with a dotted line to the chair
although this is changing, particularly
in the financial services sector. Heads of
internal audit will more often report to the
chair of the audit committee, with a dotted
line to the finance director. But Swabey
believes that reporting to a part-time
non-executive director may present
difficulties for heads of internal audit,
especially on a day-to-day basis, as the
audit committee chair will not always
be available.
If heads of internal audit have
concerns or queries about
governance issues or management
strategy that are not major enough
to involve the audit committee, then
to whom should they report? Raising
operational concerns with the finance
director may not always be appropriate
as it may affect internal audits
independence to report to him or her on
day-to-day issues.
This is why it may help to
cultivate an ally in the company
secretary, says Swabey.
Company secretaries have
boardroom standing and act
as an independent challenge
to executives in the same way
as internal audit does.They are
also on call all the time, as
opposed to audit committee chairs.
It therefore makes sense for heads of
internal audit to consult with company

Heads of internal audit can never have too many

friends, and one with a foot in the boardroom and
a similarly independent role can be helpful.

27

It makes sense for

heads of internal audit
to consult with company
secretaries because both
functions are independent
of the executive and both
have the same goal.

makes sense for both functions to

liaise more regularly to share
their findings and concerns.
There is no specific Chartered
IIA-related guidance or favoured
approach on how heads of
internal audit should work with
the company secretary.
However, the institutes
Standards and International
Professional Practices
Framework encourages internal
auditors to work with others
in the organisation as part
of their goal to provide highquality assurance.
The institute has also
published guidance on the roles
of internal audit around risk
appetite and culture, which may
prove useful given the company
secretarys duties to inform the
board and shareholders in the
annual report about risks to
the business.
Chris Baker, technical
manager at the Chartered IIA,
says that company secretaries
can also approach heads of
internal audit with queries when
they need information, rather
than wait for finished reports.
Company secretaries need
assurance on risk information to
help inform executive decision
making. Internal audit can give
advice on whether controls are
adequate and can say where
controls have failed and what
has happened as a result. If
company secretaries want to ask
questions on a rolling basis, they
are free to do so, he says.
Baker believes that more
frequent meetings formal or
informal between audit heads
and company secretaries may
prove useful. Having meetings
between internal audit and the

Strategic
report

28

secretaries on certain issues

because both functions are
independent of the executive and
both have the same goal.
He suggests that audit heads
and company secretaries can
collaborate in several areas. For
example, heads of internal audit
can play an active role helping to
induct new directors (executives
and non-executives) and making
them aware of the organisations
risk profile, internal control
framework and risk appetite.
Company secretaries should
in turn use internal audit as a
valuable resource to get a better
idea about operational risks and
controls. Internal audit is one of
the few functions within the
organisation that actually has
on-the-ground knowledge of
how different departments work
in reality, what their risk profiles
are like, and how well the people
working within these
departments appreciate risk
levels and understand risk
management and internal
control, Swabey says.
It is hard to gauge these kinds
of issues just by looking at
reports and hard data you need
to get a feel for what is
happening and internal audit can
provide that input and give an
independent viewpoint.
Swabey adds that internal
audit can help company
secretaries to understand the
culture of the organisation.
Company secretaries are aware
of what the ethical tone of the
organisation should be, but they
dont have the level of insight that
internal audit has about how the
tone from the top is cascaded
down the organisation and
understood in reality. It therefore

A recent statutory
instrument under
the Companies
Act 2006 requires
the strategic
report from the
boards of all
listed companies
to include a
description of
the risks facing
the company
and how these
are managed.
How can I do this
without internal
audits input?

company secretary can help to

inform the audit plan and what
areas internal audit should be
looking at, he says.
Many company
secretaries already enjoy
good working
relationships with heads
of internal audit. Richard
Russell has held a variety of
chartered company secretary
roles since 1975 in organisations
including defence company
British Aerospace, magazine
publisher Emap, property
developer Hammerson and,
latterly, Guinness Peat Group
(now Coats Group), an
investment holding firm.
He believes that greater
corporate governance
requirements have strengthened
the relationship between
company secretaries and
internal audit over the years,
particularly as the company
secretary is usually the secretary
of several committees, including
audit and risk.
One of the company
secretarys key roles is to prepare
the various reports to
shareholders, including the
annual report. A recent statutory
instrument under the Companies
Act 2006 requires the strategic
report from the boards of all listed
companies to include a
description of the principal risks
and uncertainties facing the
company and how these are
managed. It has always fallen to
me to prepare this content, which
includes the section on internal
and financial controls. How can I
do this without internal audits
input? he asks.
Furthermore, Im not just
looking for facts and figures, but

Audit heads and company

secretaries can collaborate
in several areas. For
example, heads of internal
audit can play an active
role helping to induct
new directors.

29

an opinion based on evidence on

the ground. With the increasing
focus on risk and uncertainty, the
company secretary relies heavily
on the internal auditor to keep
abreast of operational
developments so that he/she has
the necessary information to put
before the audit and risk
committees, as well as the
board, he says.
The internal auditor with
their detailed knowledge and
experience of the operations of
the company can inform and
support the committees on a
regular basis, and can also take
back any consequent feedback,
Russell adds. The better the
relationship between the
company secretary and the head
of internal audit, the stronger the

governance framework will be,

as well as the appetite for risk.
Russell says :The last head of
internal audit I worked with was
terrific. He had a good feel for the
operational risks that the
company faced and he had
visited all the overseas sites and
knew how they worked and what
needed to be done. He gave
incredibly good feedback and risk
information to me, as well as
recommendations for
improvements or areas that
should be prioritised, and I was
able to pass this on to the board
with confidence.
Susan Swabey, company
secretary at medical technology
company Smith & Nephew, says
that she has found internal audit
to be a natural ally. This is

because we tend to think the

same way and we both have a
similar role to play. While we both
report to management, we also
report to the non-executives and
so we provide assurance as well
as an independent view.
She adds that she has always
had a good working relationship
with internal audit. Company
secretaries work with internal
audit to help compile the audit
committee agenda papers and
write part of the corporate
governance statement in the
annual report.The closer the
relationship is, the more detailed
and precise that information
will be.
She says that she would always
encourage company secretaries
and heads of internal audit to

spend more time together. This

does not need to be a formal
arrangement the relationship
can become closer just through
informal chats and knocking on
the office door to ask questions or
raise concerns. It is important that
internal audit knows they can
come to us at any time and that
we may also approach them when
we need to.
Heads of internal audit can
never have too many friends,
and one with a foot in the
boardroom and a similarly
independent role can be helpful.
Whether audit heads will want to
consult with the company
secretary as a first or last
resort will depend on the
circumstances but it is always
good to have options.

Out of sight, out of mind?

Public and private sectors alike have embraced

outsourcing as a way to improve services, buy
in specialist expertise and cut costs. However,
some organisations have found out the hard
way that outsourcing does not mean offloading
all risks. A new report by the Chartered IIA
examines the role of internal audit in managing
those risks and asks five leading organisations
to share their experiences and lessons learnt.
Words: Ruth Prickett

30

The practice of outsourcing, or contracting

out one or more elements of an
organisations operations, has become
common as large businesses seek to reduce
costs, access technological expertise or
improve customer value.These benefits
apply to both private and public sector
organisations the UK government doubled
the amount it spent on outsourcing between
2010 and 2014 to around 90bn.The total is
likely to grow as budget cuts and spending
freezes prompt organisations of all kinds to
outsource more functions.
However, there are pitfalls. Corporate
failures and scandals arising from
outsourcing have taught commissioning
organisations that the tactic has risks.
Suppliers who fail to live up to their
obligations can cause serious reputational
damage and, however good your contract,
you cant outsource all risk.
This problem isnt going away. A company
may have complex supply chains that span
continents, but the contract between the
commissioning organisation and the
supplier still lies at the heart of the
relationship.This is where internal auditors
can add value.
A new report by the institute, Auditing
outsourced services, outlines various
approaches to managing the risks associated

with contracts and looks at best practice in

leading internal audit functions in five
organisations in the private and public
sectors. Along with the institutes technical
guidance on outsourced services and
extended supply chains, this is intended to
help internal audit teams as they enter the
debate on contract management and how it
can be audited.

The key findings in the report

Outsourcing the service does not
outsource the risk.
Organisations that engage in outsourcing
services all seek competitive advantage.
However, this may lead them to overlook
risks that they wrongly believe to have been
transferred to a supplier. Some may think
that they have thrown the risk over the
fence, but this is a mistake ultimately, they
will still suffer from any reputational damage.
The risks associated with outsourcing
can be serious.
The case studies highlight a number of risks
borne by the commissioning organisation
including: poor visibility of individual
contract performance; lack of contract
management skills; poor relationship and
interaction with contractor; inconsistent
approach to day-to-day contract
management; third-party provider ethical/

cultural issues; and unclear roles and

responsibilities within the contract
management team. Overlooking such risks
may cause service failure or delay, extra
costs or reputational damage.
Internal audit can support boards over
outsourced services.
The board and senior management should
want assurance that outsourcing risks are
being managed. If outsourced services are of
strategic importance they should feature on
internal audit plans. Over time, assuring
outsourced projects is likely to become a
regular feature of internal audits in all
sectors.The precise role, timing and extent of
internal audits involvement will depend

90bn
The UK government doubled the amount it spent on
outsourcing between 2010 and 2014 to around 90bn.

should ideally be multidisciplinary,

with contract management experience
where necessary.
Internal audit can add value by
benchmarking supplier/contractor
performance to drive overall improvements.
Right-to-audit clauses are common it is
important to invoke this clause where high
value or high profile contracts are involved.
Dont rely on a purely systems-based
approach, but complement this with
substantive testing to see the consequences
of control failure.
Where there are several layers of
assurance on a large project involving many
contractors and complex interfaces, ensure
that assurance is co-ordinated so that audit
does not hamper progress.

Internal audit has a key role to play

on the perceived risk it presents to the

organisation, the boards risk appetite,
and the cost and complexity of the
outsourced service.

Lessons for internal audit

Get involved early to help avoid contract
failure. This includes reviewing the
process behind the decision to seek an
external service.
Assess how well risk is being jointly
considered by the commissioning
organisation and the supplier.
Ensure that the audit coverage matches the
scale, nature and number of contracts.
Audit teams working on contract audits

When a service is contracted out internal

audit can get involved in the following ways.
Strategic intent and feasibility. Provide
assurance that managers are using the
recognised process to complete a feasibility
study to show there is a clear business
case aligned with the organisations
strategic objectives.
Implementation and management.
Review the supplier selection process and
assess whether the organisation has
adequate and effective policies and
procedures for tendering.
Contract management arrangements.
Examine the performance management
arrangements when a contract is operating.
The first section of the Chartered IIA
report considers why outsourcing is
important and the role that internal audit can
play.The second section examines five case
studies that lay out different approaches to
managing outsourcing contracts and the
lessons learnt from each organisations
experience.The organisations that took part
in the report are: Crossrail, the largest

construction project in Europe, sponsored

jointly by the Department for Transport and
Transport for London; the Ministry of Justice;
the Home Office; the BBC; and EDF Energy.
To read the full report, visit www.iia.org.uk/
outsourcingreport

Outsourcing in
a nutshell

Outsourcing is the process

of contracting out one or
more elements of operations
to a supplier outside the
organisations management
structure. Organisations engage
suppliers as part of their strategy to deliver
operational objectives. A third party wins a
contract to provide the service at an agreed
price. In many cases a third-party service
provider delivers services for, and in the
name of, the organisation to its clients.
Outsourcing activity is carried out through
the procurement process. Commonly
outsourced areas include back-office
functions such as HR or facilities
management. More complex outsourcing
arrangements include IT support, logistics
and supply chain management. The key
drivers for outsourcing are cost reduction and
access to expertise.
The consequences of poor contract
management are broadly:
Service failure or delay the third party fails
to deliver the service or does not deliver to
the standard specified in the contract.
Higher costs the costs rise because of
changes to prices or the quantity and
quality of services delivered. These
additional costs may not represent value for
money, which ultimately concerns taxpayers
or shareholders.
Reputational damage the third party
behaves in a way that harms the reputation of
the customer organisation.
Regulatory penalties for third-party
actions can also affect the achievement of
strategic objectives. For example, the
Financial Conduct Authority fined three
banks in the UK 42m for failures in
IT managed by third parties, which
prevented the banks customers from
accessing banking services.

31

Take the CIA and join the global profession

The Certified Internal Auditor (CIA) is the only
globally accepted certification for internal
auditors, and its recognised as the mark of
competency and professionalism worldwide.
Studying for the CIA is very flexible you can learn at
your own pace and take the exams whenever youre
ready. Tuition is optional but you will have access to the
CIA Learning System, which includes text books and an
online tool that will generate a unique study plan for you.

What will you learn?

T
 ools and techniques to establish a risk-based
internal audit plan
H
 ow to conduct and manage engagements
H
 ow to evaluate fraud risk and controls
P
 rinciples of governance and business ethics
How to analyse business processes
The latest IT security and system risks

What will it cost?

Registration, exam fees and
the CIA Learning System

F inancial management concepts

1,295 +VAT

REGISTER TODAY

www.iia.org.uk/cia

Want to pass first time?

Take face-to-face tuition
Our CIA exam workshops cover the entire syllabus.
They are led by tutors who are experienced internal
auditors and familiar with the CIA exams. Workshops
complement the CIA Learning System and give you
the best possible chance of exam success.

BOOK YOUR PLACE

www.iia.org.uk/ciaworkshops

Workshop dates
CIA part 1

910 Feb, London

89 Mar, Manchester
1920 Jul, London

CIA part 2

2627 Jan, Bristol

1415 Mar, London
56 Jul, Manchester

CIA part 3

811 Mar, London

2427 May, Bristol
1316 Jun, London

Some fees are payable in US dollars. The exchange rate is based on $1 = 0.644.

IIA3054 CIA ad AW.indd 1

07/10/2015 09:37

You asked us

Q&A
Our technical helpline provides valuable advice to
members on a host of professional issues. Here are
some of the questions youve submitted recently.
Q. When carrying out a
routine audit to confirm
assets have been disposed of
and removed from a record,
would it be sufficient for the
auditor to record the relevant
details on a working paper/
spreadsheet or would a copy
of the actual record showing
the items removal and a copy
of the voucher/approval for
removal be expected for each
item tested?
A. Standard 2330 Documenting
Information states that: Internal
auditors must document relevant
information to support the
conclusions and engagement
results (www.iia.org.uk/
performancestandards).
Practice Advisory 2330.1 (www.
iia.org.uk/documentinginformation) gives
some further information but does not
specify to that level of detail on the collection
of audit evidence. I would check to see if your
internal audit manual stipulates any
particular requirements. If not, I would
suggest a sample of the record tested to be
retained with the working paper for reference
and possibly copies of any records where
errors have been identified.
There is additional guidance provided
in this area on How to Gather and Evaluate
Information www.iia.org.uk/
evaluateinformation and TopTips on
Working Papers www.iia.org.uk/toptips
which you might find useful.
Q. We have inherited an internal audit
rating and scoring system from our
head office that we have been using in
recent years. Now we are thinking of
upgrading our system to something

more in line with current practices.

Would you be able to provide me with
some images or materials relating to
some current rating and scoring
systems used in the industry? I am
hoping that this will help me to design
our next-generation system.
A. There is no right or wrong way to rate or
score internal audit reports, just different
styles according to preference and
circumstances. Having said that, we have
built up a picture of what some people are
using in different sectors so you can judge
whether your methods look better or worse.
See www.iia.org.uk/deliveringfindings
Q. I have recently moved jobs within
the same organisation from head of
internal audit into a group finance role.
I am concerned about a conflict of
interest as part of this new role will
be assuming chair responsibilities on

business unit audit

committees. I would appreciate
any guidance/insight that you
can provide.
A. We are seeing internal auditors
at various levels move into
management roles.This has
always happened as good people
in internal audit are prime
candidates for promotion. It
rewards their hard work and
keeps them in the business. It
also means that people with an
audit mentality take that outlook
into their new roles. A bit of
turnover in internal audit is also
not a bad thing.
Once the head of internal audit
becomes part of the management
team it is then up to the senior
executives to deploy that person
as they see fit. It is unusual for someone to
take up the position of chair of an audit
committee within the business, but there is
nothing preventing that from happening
and it could be regarded as a sound move
given the person will undoubtedly have very
good knowledge of the audit process.
I would only be concerned if there were
undue pressure and influence on the
internal audit team to change the audit
plan in other words, interference with
the independent choices made by internal
audit on what to audit and undue influence
upon what is written in audit reports,
ie, leniency. However, it is up to the new
head of internal audit to make sure that
doesnt happen.
Got a question?
Contact the Chartered IIA technical
helpline on0845 883 4739 or
email technical@iia.org.uk

33

Looking for
more? GO online
Visit www.auditandrisk.org.uk for
more internal audit news and a range
of resources to help you do your job.

institute
news
Carawan elected
institute president

34

At the AGM on 15 October, Dr Mark

Carawan FIIA was elected president
and Paul Boyle OBE FIIA was elected
deputy president of the institute.
Carawan is Citigroup chief auditor
and managing director responsible
for the audit and risk review
department. He has served on the
Chartered IIAs council,
nominations committee and
the professional
development committee.
Boyle is chief audit
officer at Aviva and is
the current chair of the
institutes professional
development
committee; he has also
served on the business and
finance committee. Grant Morrison CMIIA was re-appointed
as chair of the audit committee. All other resolutions were
passed. For a full report visit www.iia.org.uk/AGMreport

Carawan is Citigroup chief

auditor and managing director
responsible for the audit and
risk review department.
Senior chief examiner steps down
After nine years, Paul
Charlton CFIIA has stepped
down from his role as senior
chief examiner for the
institutes exams. Charlton
has overseen the IIA Diploma
and IIA Advanced Diploma

professional qualifications
and the IIA IT Auditing
Certificate during his term of
office, and we would like to
extend our thanks to him for
his significant contribution to
the institute during this time.

New policy and external

relations director appointed
The institute has appointed
a new director of policy and
external relations, Alisdair
McIntosh, who brings with
him over 25 years of
experience in policy-making
and public affairs.
Alisdair will be responsible
for leading the institutes
policy programme, engaging
with key business leaders,
policy-makers and regulators
to promote and develop the
role of internal audit in
improving corporate
governance, risk management
and internal controls.
One of Alisdairs key
priorities will be to build on the
work the institute has done to
develop internal audit across

the financial services sector,

including monitoring the
implementation of its 2013
financial services code,
which was promoted by the
institute, the Financial
Conduct Authority and the
Bank of England.
Alisdair has held a series of
strategic leadership roles in
the UK and Scottish
governments, and at the
European Commission in
Brussels. Latterly he was
director of Business for New
Europe, the leading pro-EU
business organisation, and an
advisor to TheCityUK, the
representative body for UK
financial and related
professional services.

First IACert graduate for Citis internal audit academy

Institute CEO Dr Ian Peters presentedTamas
Hofer, one of the first successful candidates to
complete the Citi Internal Audit Foundation
Academy, with his certificate at a special
ceremony in June.The institute has accredited the
Citi programme so that candidates are also
awarded the IIA Certificate in Internal Audit and
Business Risk (IACert). Citi joins Barclays,
Standard Chartered Bank and BAE in achieving
such accreditation of their in-house programmes.

What if you had more

answers than questions?
FIND CONFIDENCE THROUGH TAILORED INSIGHTS
To make confident decisions about the future, middle- market
leaders need a different kind of adviser. One who starts by
understanding where you want to go and then brings the ideas
and insights of an experienced global team to help get you there.

rsmuk.com

The UK group of companies and LLPs trading as RSM is a member of the RSM network. RSM is the trading name used by the members of the RSM network. Each member of the RSM
network is an independent accounting and consulting firm each of which practises in its own right. The RSM network is not itself a separate legal entity of any description in any jurisdiction.
The RSM network is administered by RSM International Limited, a company registered in England and Wales (company number 4040598) whose registered office is at 11 Old Jewry, London
EC2R 8DU. The brand and trademark RSM and other intellectual property rights used by members of the network are owned by RSM International Association, an association governed by
article 60 et seq of the Civil Code of Switzerland whose seat is in Zug.

Tools for the job

RBIA: standing the test of time

36

Since early 2014 the technical team

and the institutes volunteer writing
group have been working on
guidance to support the tenth
anniversary of An Approach
to Implementing Risk-Based
Internal Auditing.
We have worked on the premise
that the definition of risk-based
internal auditing (RBIA) and the
underlying objectives are as
pertinent today as they were in
2005. If you re-read the detail of the
guidance and we urge everyone to
do so we are confident youll be
able to pick out a range of valuable
advice that is just as sharp and
meaningful as it was ten years ago.
The Chartered IIA defines RBIA as
a methodology that links internal
auditing to an organisations overall
risk management framework. RBIA
allows internal audit to provide
assurance to the board that risk
management processes are
managing risks effectively, in
relation to risk appetite.The aim of
RBIA is to provide the board with
the assurance that it needs on three areas:
Risk management processes, both their
design and how well they are working.
Management of those risks classified as
key, including the effectiveness of the
controls and other responses.
Complete, accurate and appropriate
reporting and classification of risks.
There is no doubt in our minds that the

Instead we have tried to build and

reinforce the messages within the 2005
guidance by providing practical advice
and tools based on what effective
internal audit functions have been doing.
The beauty of RBIA is that it is principlebased, so organisations are able to put
into practice what works for them.
Through external quality assessments
(EQAs) we have been able to see how
good RBIA works but also identify areas
where some internal audit functions
struggle.The guidance we have written in
the past 18 months attempts to share
best practice and fill the gaps for people
who need help.
We have published seven pieces of
guidance to bring the collective
knowledge and experience around RBIA
to our members. Here is a list of the
guidance with links to the resources
section of our website:
How to set up an internal audit activity
(www.iia.org.uk/setupnewia)
Annual internal audit coverage plans
(www.iia.org.uk/auditcoverage)
Risk-based internal audit plans
in financial services (www.iia.org.uk/
rbiafs)
Audit universe (www.iia.org.uk/
audituniverse)
Risk appetite and internal audit
(www.iia.org.uk/riskappetite)
How to plan an audit engagement (update)
(www.iia.org.uk/auditengagement)
What an effective risk-based internal audit
looks like (www.iia.org.uk/goodrbia)

We have published seven

pieces of guidance to bring the
collective knowledge and
experience around risk-based
auditing to our members.
2005 guidance was groundbreaking and that
it has stood the test of time. We have
therefore resisted the temptation to tinker
with the content because it spells out in clear
terms how internal auditors can provide a
valuable and much-needed assurance role in
a world of change and uncertainty. If
anything, that role and the risk-based
approach has become even more relevant
so if something isnt broken, why fix it?

The basics of risk-based internal auditing

Here is an explanation of RBIA
from the 2005 guidance:
RBIA is not about auditing risks
but the management of risks.
It ensures that internal audit
resources are directed towards
assessing the management of
the most significant risks.

RBIA takes account of the

audit committees assurance
requirements.
It informs management and
the audit committee of any
risks on which assurance will
not be provided.
RBIA justifies the number of

internal auditors required.

It requires interviewing,
influencing, facilitating and
problem-solving skills.
It ties all aspects of internal
auditing together from
objectives through to reports.
It identifies residual risks that

are not in line with risk appetite.

It assesses the risk maturity of
the unit or area being audited
and reports this to management
and the audit committee.
RBIA makes clear and
unambiguous conclusions on
risk management.

Planning an external
quality assessment?
Be prepared.
Are you planning an EQA or new in post? The Chartered IIAs
readiness assessment will give your internal audit function a
comprehensive health check and make sure youre fully prepared
for your next effectiveness review.
The service is carried out by our experienced review team and it will:
Highlight any weaknesses in your processes and practices
Identify potential risks to your organisations conformance with
the standards
 ive you clear guidance on how to address any issues and
G
improve performance
H
 elp you to establish a culture of continuous improvement
and develop training plans

GET A QUOTE

Visit www.iia.org.uk/readiness
Call 020 7498 0101

IIA3053 EQA ad AW.indd 1

Why use the

Chartered IIA?
Our independence means you
will get a completely objective
review and because we set the
standards, we truly understand
them. We also have no interest
beyond promoting and
developing the profession, so
well never try to sell you other
services or take over any aspect
of your internal audit function.

29/09/2015 15:33

Student noticeboard

Studentnoticeboard
Essential information for
students is available at
www.iia.org.uk/students

Extenuating
circumstances

Module
CIA Part 1: Internal audit basics

date
910 Feb

Location
London

CIA Part 1: Internal audit basics

89 March

Manchester

CIA Part 2: Internal audit practice

2627 Jan

Bristol

CIA Part 3: Internal audit knowledge elements

811 March

London

Module
QIAL case study 1: Internal audit leadership

date
78 Jan

time
London

Studying to
become
chartered?

QIAL case study 1: Internal audit leadership

2829 Jan

Manchester

QIAL case study 2: Organisational leadership

1314 Jan

London

QIAL case study 2: Organisational leadership

2627 Jan

Manchester

Boost your chances of passing

the case study exams first
time. Our new online learning
system will make sure youre
well prepared, with concise
study texts, practice case
studies, quizzes and podcasts.
Find out more at www.iia.org.
uk/charteredstudy

QIAL case study 3: Ethical leadership

2122 Jan

London

QIAL case study 3: Ethical leadership

1112 Jan

Manchester

QIAL interview and presentation

12 Feb

London

Module

date

time

P1 The internal audit environment

23 Nov

9.30am to 12.40pm

P2 Financial risks and controls

24 Nov

2 to 5.10pm

P3 Internal audit practice

24 Nov

9.30am to 12.40pm

P4 Information systems auditing

25 Nov

9.30am to 12.40pm

P5 Corporate governance and risk management

26 Nov

9.30am to 12.40pm

P7 Internal audit practice case study

26 Nov

2 to 5.10pm

Module
M1 Strategic management

date
23 Nov

time
2 to 5.10pm

M2 Financial management

24 Nov

2 to 5.10pm

M3 Risk assurance and audit management

25 Nov

2 to 5.10pm

M4 Advanced internal auditing case study

26 Nov

2 to 5.10pm

date
23 Nov

time
9.30 to 11.30am

Members who wish for

extenuating circumstances to
be considered in relation to
their exams should ensure that
they read the policy in full
before making a submission by
visiting www.iia.org.uk/
extenuatingcircumstances

38

CIA exam preparation workshops

PEJ completion
Dont put off completing your
professional experience
journal. Its much easier to
record your experience while
you study instead of waiting
until after youve passed the
exams. If you write little and
often, youll soon fill it. And
remember, you wont be
awarded your designation until
your PEJ has been submitted.
Download a PEJ template and
find tips on completion at
www.iia.org.uk/pej

CMIIA workshops

IIA Diplomaexams

IIA Advanced Diploma exams

IIA IT Auditing Certificate exam

Module
A1 IT Auditing Certificate multiple choice questions

Become a Chartered Internal Auditor

Master the strategic and technical skills required to be an effective leader
If youre already qualified in internal audit,
why not maximise your potential and raise
your profile by becoming a Chartered
Internal Auditor?
Chartered status is the gold standard in the
professional practice of internal auditing and
the CMIIA designation denotes the highest
level of professional excellence.

How can you become chartered?

Pass three
case study
exams

Complete a
professional
experience
journal

Be awarded
the CMIIA
designation

Boost your chances of passing

To pass the exams and be ready to lead an internal
audit function you will need to demonstrate strategic
and leadership skills as well as showing advanced
technical internal audit knowledge.
Our new online study system will teach you everything
you need to know, and you can work through the
syllabus at your own pace.
Save time by reading our concise study texts
Learn on the move download study texts to
your e-reader

FIND OUT MORE AT

www.iia.org.uk/chartered

Practise analysing case studies

Take quizzes to help reinforce your learning
Contact your tutor for advice and support

FIND OUT MORE AT

www.iia.org.uk/charteredstudy

New exams lead to chartered status

This year we changed the exams that lead to chartered status to align with IIA Globals qualification framework. That means weve introduced
the Qualification in Internal Audit Leadership (QIAL). The three QIAL case study exams lead to chartered status and members can also complete
a fourth component a presentation and panel interview to gain the full QIAL qualification.

IIA3055 QIAL ad AW.indd 1

09/10/2015 12:32

BTs Group Internal Audit (GIA) is in the unique

position of getting truly under the skin of all
divisions in this fast-paced, ever-changing, global
technology business. GIA provides independent
and objective assurance to senior management
and the Board, providing business-critical advice
as to the adequacy and effectiveness of key controls
and risk management. All of our Internal Auditors
are known for delivering high quality, reliable
advice to clients and colleagues across BT. We
have an enviable track-record of promotions
within the division and to other roles across BT.
We are currently recruiting for vacancies across
our IT, finance and operational audit teams.
Responsibilities:
Planning, performing and reporting of audits
on a risk assessed basis, using appropriate, flexible,
and cost effective methodologies. These will be in
line with professional and divisional standards and
customer needs, acting either as lead auditor or in
support of others;
Tracking audit recommendations to ensure
implementation is achieved against targets and that
the remediation is effective;
Undertaking Sox404 compliance testing assignments
in accordance with Divisional Sox timescales and
documentation standards;
Keeping up-to-date with external developments and
business insight of specified business operations,
strategic imperatives and business risks;
Identify, anticipate and recommend the need for
changes to the audit plan, in response to changing risk
profiles and business needs;
Proactively assists in the identification and development
of leading edge methodologies and best practice.

Desired skills and experience:

Fully CMIIA, CISA or ACA qualified
(or recognised equivalent).
Proven ability to provide business insight of specified
business operations, strategic imperatives and
business risks.
Strong understanding of risk and control
management frameworks.
Relevant business or audit experience with commercial
and financial acumen.
Excellent communication skills, both verbal and written.
Salary: 40,000 52,000 dependent on role and
experience plus 10% bonus
Locations: London, Birmingham, Reading, Sheffield
and Newcastle

To apply, please send your CV and current package

details to kathryn.nash@bt.com as soon as possible

BT Advert_IIA_F.indd 1

20/10/2015 15:17

Training

February
2-4

Book early
and save
Training courses We provide
comprehensive training on every
aspect of internal auditing. Save on all
courses when you book three months
ahead. Browse and book at
www.iia.org.uk/courses

An introduction to
internal auditing
York

23-24

Risk-based internal
auditing an audit
management course
London

March
7

Lean auditing delivering

added value from audit in
an efficient way
London

8-9

Heads of internal audit

induction master class
London

8-9

15-16

Auditing contracts,
outsourcing and
procurement
London

A practical guide
to evaluating risks
and controls
London

15-17

10

17

11

22-23

Assurance mapping
a practitioner's workshop
London
Successful strategies
for audit managers
a master class
London

An introduction to
internal auditing
Surrey
Controls and
human behaviour
London
Techniques for
effective training
London

41

Exciting opportunities in Internal Audit

At RBS, we are focused on becoming the UKs number one bank for trust, customer service and advocacy by 2020.
Internal Audit is central to delivering on that ambition and we are creating a world class Audit Function with top talent
and fantastic opportunities to enhance your career within audit or other areas of the Bank.
We are looking to recruit Audit Managers and Senior Audit Managers to work with some of the most visible
and dynamic parts of our business; Personal and Business Banking, Commercial Banking, Risk and our Operations
and Technology teams.
The ideal candidate is a high calibre individual with strong risk-based audit experience and the interpersonal skills
to build trusted and credible relationships with senior stakeholders in these highly visible and influential roles.
The roles are based in either Edinburgh or London. Please visit our careers site for more details job.rbs.com,
or if you would prefer to discuss our opportunities informally and in confidence, please contact
Scott Somerville on 0131 626 5024 or scott.somerville@rbs.co.uk

Events
Browse and book our programme of
events at www.iia.org.uk/events

Regional events and networking

Our extensive volunteer network
provides local support to members
across the UK and Ireland. Each
region organises a programme of
events to help members network
and stay up to date with
developments at the Chartered IIA.
Find out more at
www.iia.org.uk/regions

November

42

At this two-day conference

on 56 November you
will hear from senior
practitioners on topical risk
areas and take part
in interactive sessions.
The conference will be
followed by a dinner.
Book your place at www.iia.
org.uk/scotlandconference

Qualification
open evenings
Serious about a career
in internal audit? Why
not come along to an
open evening and find
out more about taking
IIA qualifications? Visit
www.iia.org.uk/openevening
to find out more.

4 November
IIA North West Conflict
management: an essential skill
for audit and risk professionals
Manchester
5-6 November
IIA Scotland Annual
conference
Edinburgh
12 November
IIA North East Culture club
Leeds
12 November
Qualifications open evening
Leeds
17 November
Qualifications open evening
Birmingham
20 November
IIA/FAP annual conference
London
26 November
Qualifications open evening
Bristol

December
5 December
IIA Midlands
Networking bingo
Birmingham
9 December
IIA South West
Corporate governance
Congresbury

IIA Scotland
conference

Volunteer for
the institute

We are always looking

for volunteers to join
our regional network.
If you have time to
spare and youd like
to get involved, please
visit www.iia.org.uk/
volunteer

YOUR NEXT BIG MOVE IN AUDIT

VICE PRESIDENT

SENIOR IT AUDITOR

London, up to 100,000 + bonus + benefits

London, up to 60,000 + bonus + benefits

A world renowned investment banking house is looking for a

VP to join its fixed-income internal audit team. You will be joining
one of the most diverse investment banks in the world providing
comprehensive markets, industry, product and advisory expertise
to more than 100,000 plus businesses across the globe. You will
be responsible for audits across the rates, FX and structured
products businesses, as well as liaising with other IB businesses
as required. This sought after institution prides itself on offering
its employees a fast-paced working environment with fantastic
career progression. Ref: 1795131

An exciting and rapidly growing technology business is

currently recruiting a determined internal IT auditor to join its
team. Reporting directly into the Head of IT Audit, you will be
responsible for leading internal projects and providing business
wide assurance. This is a relatively new function and would suit
an individual who is driven and has the desire to influence
the long-term growth of an organisation. This is a fantastic
opportunity to be part of a growing company with lots of
exciting challenges, developments and opportunities in the
year ahead. Ref: 2540293

Contact Joshua Charles on 020 3465 0533

or email joshua.charles@hays.com

Contact William Dale on 020 3465 0012

or email william.dale@hays.com

SENIOR INTERNAL AUDITOR

INTERNAL AUDITOR

Manchester, 50,000-55,000 + excellent benefits

City of London, up to 50,000 + bonus + benefits

A leading financial services business specialising in insurance and

consumer credit now seeks a senior internal auditor. Working as
part of the 3rd line assurance function, you will be a key figure in
ensuring that the business is not put at risk. You will plan, conduct
and report on assignments across the full scope of business
activities. This role offers you the chance to gain a broad range
of audit experience within the framework of a large company
that provides great career progression. An accountancy or audit
qualification is essential for this role.
Ref: 2579226

This global insurance firm has recently acquired a Lloyds market

re-insurance function and is now recruiting for an internal auditor
to join its team. You will be joining a publically listed billion
dollar company providing insurance, re-insurance and speciality
insurance lines across EMEA, Central and Northern America and
Asia. You will work directly with the audit partner across financial,
operational and SOX audits in an autonomous environment.
This is a fantastic opportunity for someone looking to move into
a diverse, progressive and exciting new workplace.
Ref: 2565908

Contact Mike McGibbon on 0151 239 1294

or email mike.mcgibbon@hays.com

Contact Callum Martin on 020 3465 0533

or email callum.martin@hays.com

This is just a selection of the opportunities

we have to offer, visit us online to search
for your next big move.

hays.co.uk/corporate-governance

CG-13958 Audit & Risk 01.11.2015.indd 1

IIA 255 x 205.indd 1

14/10/2015 16:51

15/10/2015 10:16

Audit&Risk-DPS-Nov15:DPS

15/10/15

14:55

Page 1

corporate governance recruitment

Banking

Audit
Risk
Compliance
Security
Legal
Treasury

London
New York
Dubai
Hong Kong
Singapore

Barclay Simpson
Bridewell Gate
9 Bridewell Place
London
EC4V 6AW

020 7936 2601

bs@barclaysimpson.com
www.barclaysimpson.com

Financial Services

Commerce/Not for Profit

Internal Audit Managers

London/Flexible
To6575,000+Bens

Group Internal Auditor

Midlands
To45,000+Car+Bens

Internal Auditor
London
30,000+Bens+Study

Due to expansion and a change in internal

audit structure this respected private bank
and wealth manager is seeking to recruit
two Internal Audit Managers to work
closely with the Group Head of Audit. As a
Manager you will help develop the annual
plan as well as deliver those audits
assigned to you. Candidates will be
considered from internal audit, consultancy
and also compliance backgrounds. CASS
exposure would be beneficial.

Our client, a household name insurance

group, is seeking a group internal auditor
to report directly to the Group Assurance
Manager. You will deliver audits across
areas such as financial / operational
controls, risk & compliance and will also
be expected to contribute to the
development of the annual internal audit
plan. You will be required to interact with
senior stakeholders, challenge processes
and bring new ideas to the business.

An excellent developmental opportunity

for an internal auditor with 12 years'
experience has arisen within this recently
established infrastructure group. Working
closely with the Head of Internal Audit in a
newly created audit function, you will assist
with all aspects of the audit plan, from
fieldwork to presenting to stakeholders. The
group is offering a full study package and
will seek to develop your skills as you
progress within the business.

Internal Audit Manager

West Midlands
To60,000+Car+Bens

Assistant Audit Manager

South West
To52,000+Bens

Lead Auditor UK
Berkshire
65,000+Bens

An opportunity has arisen to join one of the

main challenger banks at their corporate
office. Their core business is providing retail
banking services including a range of lending
and savings products. Based at their office
in the West Midlands they are seeking an
experienced internal audit professional
with extensive financial sector experience.
Reporting to the Chief Internal Auditor you
will form part of a small experienced team
plus co-sourced assistance.

Our client is one of the UK's leading retail

financial services groups with an excellent
reputation for investing in and developing
their staff. As an Assistant Audit Manager
you will report to the Head of Internal Audit
and conduct risk focused audits which will
contribute to the continuous improvement
of control processes. You will engage with
stakeholders at all levels, ensuring that
audit findings are agreed and action points
and solutions are implemented.

This leading telecommunications Plc is

looking to further strengthen their internal
audit function and is seeking an
experienced and qualified internal auditor.
This is an excellent opportunity to gain
commercial audit experience. You will be
expected to complete a variety of reviews
together with unique ad-hoc projects. This
role should be a platform for development
within the group either in audit or
operational management.

Corporate Audit Manager

London
To80,000+Bens

Head of Audit
City
To120,000+Bens

Senior Internal Auditor

London / Regional Base
4550,000+Bens

Our client, a successful global banking

group, is seeking a Corporate Audit
Manager. You will be involved in reviewing
controls surrounding structured finance,
corporate lending and credit risk. Working
closely with senior business managers you
will plan and lead international audits and
review regulatory issues and operational
processes. The role offers an insight into
corporate banking activities and offers
excellent career development opportunities.

This leading City based Lloyds Insurer is

seeking to recruit a Head of Audit. You will
be professionally qualified and have
financial services experience which should
include relevant insurance industry and
team management experience. Attending
Audit Committees and liaising with senior
stakeholders will require personal and
professional credibility. Candidates who
are currently working within a consultancy
environment will be of interest

This diverse FTSE100 group is seeking to

recruit a CMIIA or CCAB qualified senior
internal auditor to work within a wellrespected business unit of an internationally
recognised brand. You must have at least
three years internal audit experience,
ideally with a commercial environment and
have the ability to travel 1020% annually.
This is a progressive opportunity and can
be based in either London, Birmingham,
Reading or Newcastle.

AVP Audit, Global Markets

London/Flexible
To80,000+Bens

Audit Manager
London
To80,000+Bens

Sen. Int. Auditor/Asst Mngr.

Varied Locations
4047,000+Bens

This international bank is growing its

internal audit department. They are seeking
an AVP Audit to undertake a varied
portfolio of audits across their global
markets business as well as supporting
other functions. You will be a qualified
internal auditor with a good understanding
of recent regulatory developments.
Relevant internal or external audit
experience from an investment banking or
capital markets background is desired.

An Audit Manager is sought by this leading

insurance broker to manage their City
based EMEA internal audit team. Ideally
you will have an insurance broking
background but a wider insurance
background will also suffice. You must
have managed a team, be CMIIA/CCAB
qualified and have excellent communication
skills. A second European language is
preferable but not a pre-requisite. Career
development prospects are excellent.

This Top 10 practice is undertaking a

recruitment drive within their internal audit
division. Opportunities exist to work across
clients within the commercial, financial and
public sectors. These roles provide
excellent career development opportunities.
You must be studying or have completed
your CMIIA qualification. Full study support
is available together with refunds to current
employers. Opportunities exist in London,
Birmingham, Manchester and Southampton.

For further details of positions in

Banking contact David Hornsby
020 7936 2601
dh@barclaysimpson.com

For further details of positions in

Financial Services contact
David Jarrold 020 7936 2601
dj@barclaysimpson.com

For further details of Commercial/

Not for Profit positions contact
Steve Driver 020 7936 2601
sd@barclaysimpson.com

Audit&Risk-DPS-Nov15:DPS

15/10/15

14:56

Page 2

t
IT Audit

International

IT Audit Manager
London
To60,000+Bens

Senior Internal Auditor

Paris
55,000+Bens

A commercially minded IT Audit

professional is sought for this US listed
luxury travel group. Reporting to the
Director of Internal Audit you will take
responsibility for the IT audit plan which
includes managing the IT SOx programme.
This is a unique role which requires up to
40% overseas travel and could require you
to spend 23 weeks away. However, all air
travel is business class and you will stay
in some of the finest hotels in the world.

This is an excellent opportunity to develop

your career working within the well
respected internal audit division of a
prestigious global manufacturing group.
The work is interesting and challenging and
typically after 1824 months you will be
expected to transfer into other areas of the
business. Historically these moves are into
senior financial or commercial positions in
Paris or across Europe. Expect up to 40%
international travel.

Senior IT Auditor
Hampshire
To65,000+Bens

Internal Audit Director

New York
$Excellent

An experienced financial services IT

auditor is sought by this international
investment, savings, insurance and banking
group. Reporting to the IT Audit Lead you
will manage the delivery of both application
controls and core infrastructure reviews. In
addition to providing technical expertise on
reviews you will also manage relationships
with IT stakeholders and prepare value
adding reports that help the group
effectively manage the IT landscape.

An Audit Director is sought to build a new FX

audit function for our client, a successful US
bank. The function will provide additional
oversight in North America in line with
enhanced regulations. The role will oversee
the growth of this team, including liaising
with senior stakeholders, recruiting the
team, formulating the strategic audit plan,
and supporting the Global Audit MD. You
must be an established audit leader with
exposure to FX products.

Senior IT Auditor
Glasgow
To60,000+Bens

Senior Audit Consultant

Saudi Arabia
To180,000 Tax Free

This growing banking group is committed

to expanding its IT internal audit coverage
and is keen to recruit an auditor who can
work effectively with stakeholders across
IT, change and the 1st and 2nd line of
defence teams. You will deliver end to end
audit assignments and present your
findings to senior management. Future
progression into roles outside of audit will
be encouraged making this an interesting
option for both now and the future.

Our client is a major regional bank. This

role has been established to support the
Audit Director in the general management
of the department and particularly as they
implement a major audit transformation
programme. You will assist audit function
heads in planning, resourcing and team
development. Previous senior bank audit
management experience gained in a
successful internal audit team in an
international bank is required.

For further details of positions in

IT Audit contact Daniel Flynn
020 7936 2601
df@barclaysimpson.com

For further details of International

positions contact Tim Sandwell
020 7936 2601
ts@barclaysimpson.com

Nationwide Interim Opportunities

Yorkshire
London
Essex
Essex
Thames Valley
London
Glasgow
London
London
South-East

Fixed Income Auditor

Head of Internal Audit
Director of Assurance
Internal Audit Manager
Forensic Auditor
Senior Auditor
IT Audit Consultant
Third Parties Auditor
IT Audit Manager
Ops Risk Manager

Investment Banking
Asset Management
Commerce
Commerce
Public Sector
Commerce
Banking
Investment Banking
Financial Services
Asset Management

to 650 per day

excellent
excellent
to 400 per day
to 250 per day
to 50,000 pro-rata
to 600 per day
to 800 per day
to 75,000 pro-rata
to 600 per day

Barclay Simpson Interim Solutions is the leading provider of

interim recruitment services to the internal audit profession.
For more information on these and many other opportunities,
please contact Andrew Whyte aw@barclaysimpson.com

www.barclaysimpson.com/interimsolutions

Compensation and Market

Trends Report 2015
Includes results of 2015
compensation survey
Up to date overview of
the internal audit
recruitment market
Sector analysis
Trends in salaries and
other benefits paid to
internal auditors
Salary guide
Download your free copy at: www.barclaysimpson.com

Visit

www.barclaysimpson.com
to access a vast range of free
online resources
Search hundreds of audit vacancies
Find your current market value
Information on where best to live
and work
Focus on Computer Audit
Latest information on qualifications

Barclay Simpson has

been awarded the
Diversity Assured
Recruiter accreditation
under the RECs
Diversity Initiative.

For more details visit:

www.barclaysimpson.com/equalopps

Audit&Risk-BP-GlobalFund-Nov15:Audit&Risk-BP MI5-Feb12

15/10/15

14:39

Page 1

corporate governance recruitment

Audit Managers Lead Auditors Auditors

Based Geneva (Relocation assistance available)
Tax Free CHF Salary plus comprehensive benefits
The Global Fund partnership mobilizes and invests nearly US$4 billion a year to support programs
run by country and community experts to defeat AIDS, tuberculosis and malaria. Since 2002,
Global Fund investments have saved 17 million lives with a further 5 million expected by the end
of 2016. The Global Funds Office of the Inspector General plays a key role in safeguarding these
investments through internal auditing, investigations and consultancy work.
The Office of the Inspector General is recruiting enthusiastic and skilled audit professionals to join a young,
rapidly growing and culturally rich team. Were looking not only for highly competent individuals but also
candidates who can demonstrate their ability to build and develop trust and confidence, who can manage
difficult conversations, who are culturally sensitive, effective in diverse environments and who can
influence and negotiate positive outcomes.
With multiple audit requirements across finance, grant management, supply chain, procurement,
governance and human rights departments, to name but a few, your experience could be as varied as
the people we employ. In addition to English and French at least 20 other languages are spoken in the
Office of the Inspector General. Based in Geneva, Switzerland, your work could take you to any one of the
140 countries in which the Global Fund invests to help us defeat the worlds three deadliest diseases.

For further details and to apply please contact Dan Flynn at: df@barclaysimpson.com

Barclay Simpson
Bridewell Gate
9 Bridewell Place
London EC4V 6AW
bs@barclaysimpson.com
www.barclaysimpson.com

020 7936 2601

www.barclaysimpson.com