Beruflich Dokumente
Kultur Dokumente
ull ce
f
useren
Pln
f 15
o
C 20view
re
Plus: IA and the company secretary; building an audit team from scratch
BUSINE
IN
BHBi CE
SS
RATING
LEB
10
YEAR
S
TEN
CELLEN
F EX
10
NAL AUD
TER
BHBi IN
CE
ENTRE O
IT C
39752 BHBi Internal Auditing Ad 255x205.indd 1
19/08/2015 17:21
Contents
14
22
ll e
c
s fu
ren
Plu
nfe 15
Co 20view
re
Plus: IA and the company secretary; building an audit team from scratch
18
Published for the Chartered
Institute of Internal Auditors
byCaspian Media Ltd,
Unit G4, Harbour Yard, Chelsea
Harbour, London SW10 0XD
020 7045 7500
Editors
Keith Ryan
keith.ryan@caspianmedia.com
020 7045 7543
Front
Features
14 Global challenges
5 World view
From Richard F Chambers,
IIA Global president
andCEO.
8 Update
The latest news affecting
the profession.
18 Sowing a seed
Meet four people who set
up an internal audit team
from scratch.
22 Value pool
How United Utilities
benefited from its recent
Chartered IIA EQA.
26 Common cause
A round-up of the
institutes recent event.
12 Reportage
30 Out of sight
10 Conference
Member
matters
33 You asked us
Your questions answered.
34 Institute update
Institute news and
membership matters.
38 Student noticeboard
Essential information
for exam candidates.
41 Courses
Key dates for your diary.
42 Events
Whats on across the UK
and beyond.
Brendan Scott
brendan.scott@caspianmedia.com
020 7045 7572
Chartered Institute
of Internal Auditors
info@iia.org.uk
www.iia.org.uk
020 7498 0101
Subscriptions
membership@iia.org.uk
020 7498 0101
Advertising
Ian Mehrer
ian.mehrer@caspianmedia.com
020 7045 7596
Creative director
Nick Dixon
Opinions expressed by
contributors are their own.
Reproduction in whole or in
part without written permission
is strictly prohibited.
ISSN 2048-8408.
TeamMate
Audit
Controls
Analytics
To achieve new heights, finding the right balance of audit tools is essential.
Only TeamMate offers an integrated set of solutions that include the industrys
leading audit management system, an innovative controls management
system and powerful data analytics.
TeamMate AM
TeamMate CM
TeamMate Analytics
Copyright 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946
03/02/2015 11:04:42
Working to
Bridge the Data
Security Chasm
Cybersecurity concerns and discussions
abound in companies today, which are intent
on addressing these issues aggressively. But
are these intentions translating into effective
policies and actions to secure the crown
jewels of organizations? The answers are
mixed, at best, according to Protivitis 2015
IT Security and Privacy Survey.
Tone from the top is a
critical differentiator
2014
2013
Excellent understanding
29%
23%
27%
Good understanding
45%
51%
48%
Limited understanding
16%
22%
22%
Little or no understanding
3%
3%
2%
Dont know
8%
1%
1%
28%
30%
32%
41%
15%
20%
Dont know
25%
9%
8.6
7.0
Small Companies
(< $1B)
8.0
82%
72%
Record retention/
destruction policy
80%
71%
79%
58%
Written information
security policy
72%
60%
61%
50%
Companies with
high board
engagement in
information
security
7.7
Companies without
high board
engagement in
information
security
6.1
Companies with
all core
information
security
policies
7.5
6.5
Companies
without all core
information
security
policies
6.1
Protiviti Advert_Revised_F.indd 1
20/10/2015 16:30
The list of
pressure points
poses serious
challenges.
A recent Common Body of Knowledge
report from the IIA Research Foundation
describes the dilemma financial services
auditors are facing. The report, A Global
View of Financial Services Auditing:
Challenges, Opportunities and the Future,
highlights the difficulty of serving an
expanding list of stakeholders and the
corresponding scope of work. It appears
the caveat about being careful what you
Prepare to be amazed
An advanced risk and audit
management
solution for
only 200
www.symbiant.uk
16
D WINNING SOFTWARE
OF AWAR
Further information
Karen Bassett is chief internal auditor
at Leeds Building Society and chair of the
IIA Mutual Sector Group Committee. She
was previously chief internal auditor at
Northern Rock/Virgin Money and audit
director at HBOS/Lloyds Banking Group.
UPDATE
Obituary: Sir
Adrian Cadbury
Sir Adrian Cadbury, author of
the Cadbury Report on
corporate governance (1992),
died on 3 September. He was
86. Cadbury was the grandson
of George Cadbury, founder of
the Cadbury factory and the
model community at
Bournville. He retired as
chairman of the family firm in
1989 and was asked by the
FRC and the Stock Exchange
to chair the committee on
corporate governance, which
recommended clear division
of responsibilities at the
top of firms, the importance
of high-quality nonexecutives and full disclosure
of directors rewards.
ISO standard on
supply chains
The International Standards
Organisation (ISO) has
published a new technical
specification for supply chain
continuity. Called Societal
Security: Business continuity
management systems
Guidelines for supply chain
continuity, the standard ISO/
TS 22318:2015 provides
guidance on methods for
understanding and
extending the principles of
BCM embodied in ISO 22301
and ISO 22313 to the
management of supplier
relationships.
For more information
see bit.ly/1NJpH0N
ASIS International, a
body aimed at helping
security professionals,
has published a
new standard
developed in
conjunction with RIMS,
the US-based risk
management society.
Called Risk
Assessment ANSI/
ASIS/RIMS RA.1-2015,
the standard provides
guidance on how to
establish a risk
assessment programme
and conduct individual
risk assessments
consistent with
ISO 31000:2009
Risk management
Principles and
guidelines, as well
as the COSO Enterprise
Risk Management
framework.
It also provides
guidance on how
to conduct risk
assessments for risk and
resilience-based
management system
standards for the
disciplines of risk,
resilience, security,
crisis, business
continuity and recovery
management.
For more information
visit bit.ly/1ONO4eP
Greater expectations
Last month, senior practitioners from across the country and sectors gathered for the
Chartered IIAs annual conference 2015, the largest of its kind in the UK. Delegates
from up and down the country and the leading lights of internal audit, governance and
risk management shared their insights into the unprecedented opportunities,
changes and challenges that lie ahead. We have pulled together some of the most
salient themes of this two-day event.
10
consultative approach.
anticipate, he said.
Richard Chambers,
president and CEO
of IIA Global, told
the audience that if
internal auditors are
to be fully effective
they must audit at
the speed of risk.
The challenge
for internal audit
is how to move
into these softer
areas and
whether it has
the skills to do so.
Sir Gerry Grimstone,
chair of Standard Life
11
REPORTAGE
Each year the Chartered IIA conducts research among heads of internal
audit to find out what internal auditors are really doing in their dayto-day jobs, whats happening to their budgets and what risks are
highest on the teams radar. Here are the results of this years survey.
12
Budget increase
14%
16%
27%
No change
39%
58%
50%
Budget decrease
47%
26%
23%
All
Public
Private sector
sectors sector (non-FS)
69%
43%
72%
12% 32% 2%
8% 11% 6%
7% 10% 12%
4%
4%
7%
1%
0%
2%
000000.00
Out of the list below, which are the top five areas of risk on
which internal audit currently spends most time/effort and
which are the top five risks your organisation is facing?
Time/effort spent
Operational
Adequacy and effectiveness of risk management
Financial reporting and control process
Corporate governance process and structure
Data privacy and security
Regulatory change
IT projects
Fraud
Business continuity
Outsourcing/supply
76%
61%
51%
48%
47%
40%
38%
23%
22%
20%
48%
36%
21%
26%
43%
49%
35%
16%
16%
16%
Choose the top five competencies you and your team need
to perform your work effectively now and those you will
need in five years time
Communication skills
Problem identification and solution skills
Knowledge of industry, regulatory and standards changes
Business/commercial acumen
People management skills
IT/ICT frameworks, tools and techniques
Change management skills
Conflict resolution/negotiation skills
Ability to promote value of internal audit
Accountancy frameworks, tools and techniques
Organisational skills
Now
77%
65%
58%
54%
44%
42%
38%
37%
35%
30%
29%
13
All
95%
92%
89%
71%
50%
46%
29%
Public sector
96%
89%
87%
61%
38%
30%
22%
Private sector
95%
93%
93%
70%
35%
32%
25%
Financial services
95%
96%
90%
75%
82%
75%
36%
14
Global
challenges
Madina Bazarova, associate director
of the internal audit unit Asia at
CGIAR ( The Consultative Group for
International Agricultural Research),
explains why she moved from London to
Malaysia to take up this role and why
soft skills are the key to performing
successful internal audits worldwide.
Words: Ruth Prickett Photographer: Peter Searle
15
16
17
however, Barazova points out, this can be
complicated when working with third-party
projects and its important that all the
organisations understand the legal situation
and what they can and cant publish or do.
Im currently going through the risk
registers for each of the organisations Im
responsible for and identifying which risks
have remained constant and whether there
are new and emerging ones that we should
be auditing, she says. Apart from anything
else, I have to consider the risks to this audit
function we are a shared service and if we
are not providing what these organisations
need they can go elsewhere.This is very
different from my last job. It feels far more as
if I am a consultant.
This, she adds, has stretched her soft
skills and has certainly provided her with the
new experiences and developmental
opportunities she was looking for when she
left Save the Children. Now more than ever,
she says, its vital for her to build
relationships and communicate what internal
audit is trying to achieve, how it intends to do
it and the benefits it provides.
CGIAR
is a global
consortium of 15
independent research
centres generating
agricultural research
to alleviate problems
such as poverty,
hunger, malnutrition
and environmental
degradation.
sowing
a seed
18
In particular, he recounts
setting up an internal audit
function from scratch in a
large international
manufacturing group. He
was new to the business so
made it his mission to
introduce himself to all the
key stakeholders and
understand what they did.
He also had to educate them
about what internal audit
was going to do. I think
even today, people think
you are there to find fault,
he says. I wanted to make
it clear that wasnt the
objective.You need to really
emphasise the benefits.
At Paragon, the groups
internal audit team also
provides internal audit
services to the bank, so the
team wasnt built from
scratch. Nevertheless,
Powell had to assess the
knowledge and skills gaps
that existed for the new
business and plan how to
fill them.The group teams
only real deficit was on the
regulatory side, so he
Heads of internal
audit usually join
an established
team, but they
are occasionally
invited to set up
a function from
scratch. When
this opportunity
comes along, what
are the keys to
success and the
challenges? To
find out we asked
four HIAs with
experience of
putting new
internal audit
teams together
to share their
knowledge and
experience of
how its done.
Words: Wilma Tulloch
19
20
1
2
3
4
5
6
7
8
10
21
Further
information
Value pool
23
View from
Brian May,
audit committee
chair at
United Utilities
The key decision was not
whether to do an EQA, but
who should do it. Mark put
forward the idea of using the
Chartered IIA rather than one
of the Big Four accountancy
firms and we were very
pleased with what this
produced. From my point of
view it wasnt time-consuming
and I had confidence in the
assessor because shes been a
head of internal audit at a FTSE
100 organisation herself. The
feedback was well structured
and was very positive. This
meant there werent any huge
changes recommended, but I
had full confidence in the
assessors opinion and felt it
had gravitas.
24
United Utilities
tips for EQA success
Prepare well
give the assessor
all the documents
they need.
Ensure the initial
scope is clear and
agreed internally so
that it adds value to
the organisation and
answers all the
relevant questions.
Make time to get
input from all the
necessary people.
Make sure you get
the right supplier
who can answer
all these
questions
and has the
right level of
credibility.
Get the right
assessor for your
organisation.
Get someone in
the team to
project-manage the
EQA its valuable
experience and an
important role.
Set time aside
to talk to the
assessor. This is
an opportunity for
both parties to
raise questions and
speeds up the final
reporting process.
Use the
experience to
showcase what you
have achieved.
Be prepared
to be
challenged and
to learn from
others and listen and
respond positively to
the findings.
Looking ahead
The forward-planning process that Lenton and
his team were still developing at the time of
the EQA had been prompted by the increased
need to deliver assurance in a flexible and
efficient way and further enhance its quality.
Lenton was keen to explain to the audit
committee what internal audit could provide
and to find ways to ensure that they could see
what they were getting and to understand
findings. At the same time, he wanted the
broader business to understand better the
purpose and aims of the audit team.
The new process built on what the
organisation had done previously, remaining
25
Common cause
26
The relationship
between internal
audit and different
senior managers
varies from
organisation to
organisation, but
the company
secretary should
be seen as a close
ally in most not
least because the
two roles share
many common
characteristics.
So how can this
work in practice?
Words: Neil Hodge
27
Strategic
report
28
A recent statutory
instrument under
the Companies
Act 2006 requires
the strategic
report from the
boards of all
listed companies
to include a
description of
the risks facing
the company
and how these
are managed.
How can I do this
without internal
audits input?
29
30
90bn
The UK government doubled the amount it spent on
outsourcing between 2010 and 2014 to around 90bn.
Outsourcing in
a nutshell
31
1,295 +VAT
REGISTER TODAY
www.iia.org.uk/cia
www.iia.org.uk/ciaworkshops
Workshop dates
CIA part 1
CIA part 2
CIA part 3
Some fees are payable in US dollars. The exchange rate is based on $1 = 0.644.
07/10/2015 09:37
You asked us
Q&A
Our technical helpline provides valuable advice to
members on a host of professional issues. Here are
some of the questions youve submitted recently.
Q. When carrying out a
routine audit to confirm
assets have been disposed of
and removed from a record,
would it be sufficient for the
auditor to record the relevant
details on a working paper/
spreadsheet or would a copy
of the actual record showing
the items removal and a copy
of the voucher/approval for
removal be expected for each
item tested?
A. Standard 2330 Documenting
Information states that: Internal
auditors must document relevant
information to support the
conclusions and engagement
results (www.iia.org.uk/
performancestandards).
Practice Advisory 2330.1 (www.
iia.org.uk/documentinginformation) gives
some further information but does not
specify to that level of detail on the collection
of audit evidence. I would check to see if your
internal audit manual stipulates any
particular requirements. If not, I would
suggest a sample of the record tested to be
retained with the working paper for reference
and possibly copies of any records where
errors have been identified.
There is additional guidance provided
in this area on How to Gather and Evaluate
Information www.iia.org.uk/
evaluateinformation and TopTips on
Working Papers www.iia.org.uk/toptips
which you might find useful.
Q. We have inherited an internal audit
rating and scoring system from our
head office that we have been using in
recent years. Now we are thinking of
upgrading our system to something
33
Looking for
more? GO online
Visit www.auditandrisk.org.uk for
more internal audit news and a range
of resources to help you do your job.
institute
news
Carawan elected
institute president
34
professional qualifications
and the IIA IT Auditing
Certificate during his term of
office, and we would like to
extend our thanks to him for
his significant contribution to
the institute during this time.
rsmuk.com
The UK group of companies and LLPs trading as RSM is a member of the RSM network. RSM is the trading name used by the members of the RSM network. Each member of the RSM
network is an independent accounting and consulting firm each of which practises in its own right. The RSM network is not itself a separate legal entity of any description in any jurisdiction.
The RSM network is administered by RSM International Limited, a company registered in England and Wales (company number 4040598) whose registered office is at 11 Old Jewry, London
EC2R 8DU. The brand and trademark RSM and other intellectual property rights used by members of the network are owned by RSM International Association, an association governed by
article 60 et seq of the Civil Code of Switzerland whose seat is in Zug.
36
Planning an external
quality assessment?
Be prepared.
Are you planning an EQA or new in post? The Chartered IIAs
readiness assessment will give your internal audit function a
comprehensive health check and make sure youre fully prepared
for your next effectiveness review.
The service is carried out by our experienced review team and it will:
Highlight any weaknesses in your processes and practices
Identify potential risks to your organisations conformance with
the standards
ive you clear guidance on how to address any issues and
G
improve performance
H
elp you to establish a culture of continuous improvement
and develop training plans
GET A QUOTE
Visit www.iia.org.uk/readiness
Call 020 7498 0101
29/09/2015 15:33
Student noticeboard
Studentnoticeboard
Essential information for
students is available at
www.iia.org.uk/students
Extenuating
circumstances
Module
CIA Part 1: Internal audit basics
date
910 Feb
Location
London
89 March
Manchester
2627 Jan
Bristol
811 March
London
Module
QIAL case study 1: Internal audit leadership
date
78 Jan
time
London
Studying to
become
chartered?
2829 Jan
Manchester
1314 Jan
London
2627 Jan
Manchester
2122 Jan
London
1112 Jan
Manchester
12 Feb
London
Module
date
time
23 Nov
9.30am to 12.40pm
24 Nov
2 to 5.10pm
24 Nov
9.30am to 12.40pm
25 Nov
9.30am to 12.40pm
26 Nov
9.30am to 12.40pm
26 Nov
2 to 5.10pm
Module
M1 Strategic management
date
23 Nov
time
2 to 5.10pm
M2 Financial management
24 Nov
2 to 5.10pm
25 Nov
2 to 5.10pm
26 Nov
2 to 5.10pm
date
23 Nov
time
9.30 to 11.30am
38
PEJ completion
Dont put off completing your
professional experience
journal. Its much easier to
record your experience while
you study instead of waiting
until after youve passed the
exams. If you write little and
often, youll soon fill it. And
remember, you wont be
awarded your designation until
your PEJ has been submitted.
Download a PEJ template and
find tips on completion at
www.iia.org.uk/pej
CMIIA workshops
IIA Diplomaexams
Pass three
case study
exams
Complete a
professional
experience
journal
Be awarded
the CMIIA
designation
www.iia.org.uk/chartered
www.iia.org.uk/charteredstudy
09/10/2015 12:32
BT Advert_IIA_F.indd 1
20/10/2015 15:17
Training
February
2-4
Book early
and save
Training courses We provide
comprehensive training on every
aspect of internal auditing. Save on all
courses when you book three months
ahead. Browse and book at
www.iia.org.uk/courses
An introduction to
internal auditing
York
23-24
Risk-based internal
auditing an audit
management course
London
March
7
8-9
8-9
15-16
Auditing contracts,
outsourcing and
procurement
London
A practical guide
to evaluating risks
and controls
London
15-17
10
17
11
22-23
Assurance mapping
a practitioner's workshop
London
Successful strategies
for audit managers
a master class
London
An introduction to
internal auditing
Surrey
Controls and
human behaviour
London
Techniques for
effective training
London
41
Events
Browse and book our programme of
events at www.iia.org.uk/events
November
42
Qualification
open evenings
Serious about a career
in internal audit? Why
not come along to an
open evening and find
out more about taking
IIA qualifications? Visit
www.iia.org.uk/openevening
to find out more.
4 November
IIA North West Conflict
management: an essential skill
for audit and risk professionals
Manchester
5-6 November
IIA Scotland Annual
conference
Edinburgh
12 November
IIA North East Culture club
Leeds
12 November
Qualifications open evening
Leeds
17 November
Qualifications open evening
Birmingham
20 November
IIA/FAP annual conference
London
26 November
Qualifications open evening
Bristol
December
5 December
IIA Midlands
Networking bingo
Birmingham
9 December
IIA South West
Corporate governance
Congresbury
IIA Scotland
conference
Volunteer for
the institute
SENIOR IT AUDITOR
INTERNAL AUDITOR
hays.co.uk/corporate-governance
14/10/2015 16:51
15/10/2015 10:16
Audit&Risk-DPS-Nov15:DPS
15/10/15
14:55
Page 1
Audit
Risk
Compliance
Security
Legal
Treasury
London
New York
Dubai
Hong Kong
Singapore
Barclay Simpson
Bridewell Gate
9 Bridewell Place
London
EC4V 6AW
Financial Services
Internal Auditor
London
30,000+Bens+Study
Lead Auditor UK
Berkshire
65,000+Bens
Head of Audit
City
To120,000+Bens
Audit Manager
London
To80,000+Bens
Audit&Risk-DPS-Nov15:DPS
15/10/15
14:56
Page 2
t
IT Audit
International
IT Audit Manager
London
To60,000+Bens
Senior IT Auditor
Hampshire
To65,000+Bens
Senior IT Auditor
Glasgow
To60,000+Bens
Investment Banking
Asset Management
Commerce
Commerce
Public Sector
Commerce
Banking
Investment Banking
Financial Services
Asset Management
www.barclaysimpson.com/interimsolutions
Visit
www.barclaysimpson.com
to access a vast range of free
online resources
Search hundreds of audit vacancies
Find your current market value
Information on where best to live
and work
Focus on Computer Audit
Latest information on qualifications
Audit&Risk-BP-GlobalFund-Nov15:Audit&Risk-BP MI5-Feb12
15/10/15
14:39
Page 1
For further details and to apply please contact Dan Flynn at: df@barclaysimpson.com
Barclay Simpson
Bridewell Gate
9 Bridewell Place
London EC4V 6AW
bs@barclaysimpson.com
www.barclaysimpson.com
www.barclaysimpson.com