Professional Documents
Culture Documents
Sharing the risk: towards a more integrated assurance solution Hospitality fraud squad: how the hotel industry could cut its losses Name calling: is your reputation bad for business?
Contents
26
Issue 5 May/June 2012
We want to see internal audit taken seriously in the institutions that we regulate
The forward-looking agenda of financial services regulator Andrew Bailey
18
Sharing the risk: towards a more integrated assurance solution Hospitality fraud squad: how the hotel industry could cut its losses Name calling: is your reputation bad for business?
18
Published for the Chartered Institute of Internal Auditors byCaspian Media Ltd, Unit G4, Harbour Yard, Chelsea Harbour, London SW10 0XD 020 7045 7500 Editors Keith Ryan keith.ryan@caspianmedia.com 020 7045 7543 Alice Hoey alice.hoey@caspianmedia.com 020 7045 7554 Chartered Institute of Internal Auditors info@iia.org.uk www.iia.org.uk 020 7498 0101 Subscriptions membership@iia.org.uk 020 7498 0101 Advertising Ian Mehrer ian.mehrer@caspianmedia.com 020 7045 7596 Creative director Nick Dixon Art editor David Twardawa Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited. ISSN 2048-8408.
22
Front
3 The IIA view
From the CEO, Ian Peters.
Features
12 A very prudent man
The incoming head of the authority thats set to replace the FSA, Andrew Bailey, explains his plans for internal audit to be taken seriously in the financial services industry.
REGULARS
31 Tools for the job
Resources, books and advice to help you perform.
5 World view
From Richard Chambers, IIA Global president and CEO.
18 Better together
How to achieve integratedrisk assurance in your organisation.
33 You asked us
Experts answer readers technical questions.
8 Update
The latest news affecting the profession.
34 Getting qualified
Crucial exam information.
36 IIA update
Institute news and membership matters.
10 Vital statistics
KPMGs survey of how firms are increasingly adopting an integrated approach to governance, compliance and risk management.
26 Mud sticks
Why it pays to safeguard yourorganisations reputation closely.
38 Exam results
We post more news and articles online every week. To access these, visit www.auditandrisk.org.uk
Its been 11 years since the Basel Committee on Banking Supervision issued its first set of principles for internal audit in the banking sector. The past few years, since the financial crisis began, have brought much change in the corporate governance world particularly in relation to banking industry regulation. It was, therefore, high time that the supervisory guidance for internal auditors was updated. Accordingly, the committee recently closed a consultation on proposals for a new set of principles to guide the supervision of internal audit in banks around the world. As part of its drive to create better corporate governance and efforts to help prevent another banking crisis, the Basel Committee is seeking to give internal audit functions in the banking sector more authority, stature and independence. Its proposals make clear reference to the IIAs International Standards and Code of Ethics and commend a risk-based approach to internal audit.These proposals are, therefore, to be welcomed on the whole. But our welcome does come with some important caveats. For example, the proposals reference to a risk-based approach to internal audit is at odds with some prescriptive recommendations about what must be audited and to what timeframe, particularly coverage of regulatory matters. And, while a closer relationship between internal audit and the regulator may be necessary, as the proposals suggest, it is important that regulators appreciate the need for a balance. Internal audits work with boards and executives needs to be as
effective as its work with external supervisors. Getting this balance right is crucial to effective corporate governance and the management of risk. The proposals should make the role of internal audit in banks more pivotal to good corporate governance. The right mix of technical and business skills within the internal audit team is essential to this. Attracting and retaining the right mix of people and skills is a function of remuneration, training and appropriate qualifications. Again, there is a need for balance here. On the one hand, remuneration must be adequate to attract the right skills
The right mix of technical and business skills within the internal audit team is essential
into the internal audit function. On the otherhand, it must not be structured in a waythat could be seen to compromise independence and objectivity. Effectively resourced internal audit functions also need the support of clear guidelines and working practices. And, while
the Basel Committee clearly exemplifies the IIAs International Standards in its proposals, extra sector-specific guidance to enhance these would be beneficial. If appropriately refined to reflect these points, the proposals represent a strong blueprint for internal audit in the banking sector.Their emphasis on greater recognition and support for the profession represents an enormous opportunity for internal auditors, banks, regulators, bank customers and the public interest. And it is providing a firm foundation for the institutes strengthening relationship with the UKs financial services regulators. Our interview with Andrew Bailey on page 12 reflects the growing recognition of the value that internal audit can bring. As the new head of the banking regulator, the Prudential Business Unit, which will become the Prudential Regulatory Authority in 2013, he is clearly welcoming of a closer relationship with the IIA and sets out a positive vision for the role of internal audit in banks. Our challenge as a profession and as an institute is to help turn that vision into reality.
READ MORE
You can view the IIAs full response to the Basel consultation in the Knowledge Centre at www.iia.org.uk
One of the few audit sins worse than ignoring an area at the top of the risk assessment is performing an audit for which the auditors are not qualified.
Last years skillswill not beadequate for completing next years audits
possess or obtain the knowledge, skills andother competencies needed to perform its responsibilities. We all realise that internal auditors are no longer just bean-counters.Todays auditors still need to know how to count the beans, but we also need to understand how the beans are grown, harvested, marketed and shipped. Its impossible to know what will be demanded of internal audit professionals next year. But one thing is certain: last years
skills will not be adequate for completing next years audits. Our profession is changing faster than ever and we are all being affected by the changes. Internal auditors who have been practicing successfully for a decade or more are sometimes finding that they dont have the technical skills they need in order to be successful this year. Its time for each of us to take a freshlook at the tools in our auditing toolboxes. Each of us needs a strategic development plan to ensure that well stay relevant in the future. Luckily, keeping our auditing skills fresh has never been easier. Today there is an almost unlimited variety of seminars, conferences, college courses, online training events, workshops, chapter meetings and round-table events for internal auditors. Regardless of audit schedules, budgets or work locations, any determined internal auditor can find opportunities to improve their skills. Your career is in your hands its up to you to make the most of it. Most of us truly enjoy continuing education opportunities. But if you are one of the few who do not lookforward to improving your skills, just remember the words of Muhammad Ali: Ihated every minute of training, but I said: Dont quit. Suffer now and live the rest of your life as a champion.
UPDATE
Remote working risk guidance
The UK Centre for the Protection of National Infrastructure, which provides security guidance, has published a best-practice guide on managing remote working risks. Find out more by visiting bit.ly/ RemoteWork
We round up the latest business and regulatory news to affect the internal audit profession.
Risk investment improves bottom line
An organisations level of risk investment can affect its financial performance, a new report by Ernst & Young has found. According to its study, Turning risk into results , companies in the top 20 per cent of risk maturity where maturity was defined by the number of risk management practices applied generated three times more EBITDA than those in the bottom 20 per cent. Previously, says the report, senior executives may not have perceived risk management as strategic to the enterprise, or lacked sufficient confidence in their ability to identify and address the risks that could affect the financial performance, or eventhe viability, of their organisation. Our point of view is that companies with more mature risk management practices outperform their peers financially. Our client experience and study results strengthen that perspective, said Randall Miller, global advisory risk leader with Ernst & Young. You can download a copy of the study here: bit.ly/EY_Study
scepticism being applied. The ICAEW says that banks should consider the extent to which the objectives of the auditor, audit committee and executive management are similar or not for the various activities within the annual reporting process, and that the level of cooperation and challenge should be balanced accordingly. The ICAEW also recommends that bank auditors and audit committees should have good relationships with the banks risk committee to ensure a coordinated approach to addressing risk, and that banks should plan well ahead for an efficient year-end process.
REPORTAGE
Getting serious on risk
10
As governance, risk and compliance (GRC) issues continue to make substantial progress up the boardroom agenda, executive management teamswant assurances that all three components are being integrated effectively and efficiently, according to The convergence evolution , KPMGslatest global survey of senior decision-makers on risk.
Today, 41% of boards globally and 50% ofUSboards are taking GRC very seriously , compared with only 10% globally and 13% intheUSbefore the financial crisis.
The main stakeholders exerting pressureon boards to take integrated assurance more seriously are:
Regulators:
The increasing appetite for GRC is driven mainly by a desire to reduce risk exposure (51% globally and 54% among US firms) and the need to tackle overall business complexity (35% globally and 34% in the US).
indication of the higher priority placed on GRC, but also a potential sign that the management of these processes could be better coordinated.
State of play
said their organisations were effective at sharing information and resources across functions. About a third of respondents said their companies were good at ensuring a consistent GRC approach across borders.
Only 9% of organisations globally (45% in the US) said that their GRC activities were fully integrated into their business strategies.
11
For 7% of organisations globally and 16% in the US, governance convergence should result in long-term cost reductions.
ofUS companies saidthat they were effective at ensuring the quality and availability of GRC data.
You can download a copy of KPMGs The convergence evolution report by visiting bit.ly/KPMG_Convergence
12
Being an internal auditor in a complex financial institution is a highly skilled role. I wonder whether the profession gets the credit it deserves
A very prudent man Andrew Bailey has acquired a pivotal role in the UKs new era of financial supervision and regulation. And the internal audit profession has just got itself a new and very challenging friend.
Words: Stuart Rock Photographs: David Short
13
ajor reforms of an entire industry dont come along too often.The dismantling ofthe Financial Services Authority (FSA) is one of themost profound regulatory changes to take place in the UK in the aftermath of the financial crisis. This is not an overnight process. Its not even anover-year process. But, before it is concluded, itlooksset to change the internal audit profession significantly and whisper this very positively. Because the role and effectiveness of internal audit isfirmly on the agenda of one of the principal figurescharged with developing and supervising thenew regulatory regime. We all know Andrew Baileys name. Or,rather, weall know his handwriting. Itshis signature that wesee on every bank note, owing to his stint as chiefcashier of the Bank of England during his 25-year career there. Now the man himself is
emerging intothe public arena. At the end ofJune he will step up to headthe Prudential Business Unit, the part ofthe FSA that foreshadows the Prudential Regulatory Authority (PRA) before it formallycomes intobeing in early 2013.
Building blocks
The PRA will be one of the two so-called twin peaks that, alongside the Financial Conduct Authority, will supervise the financial services industry. A subsidiary of the Bank, the PRA will be responsible for promoting the safety and soundness of the businesses it regulates: deposit-taking institutions, insurers and designated investment firms. The FSA may not have actually used theterm light touch about itself, but this isthephrase that has been attached to it initially approvingly and then damningly. Bailey, who was not inthe FSA himself, is certainly not a man to point fingers, buthe does acknowledge some of theshortcomings of the past. There was , hesaysin measured tones, a relative de-prioritisation of prudential regulation. His job is to restore such a priority.The fundamental building block for the PRA is to be focused on the big issues and risks to institutions and more forward-looking than financial regulators historically have been. One of the key things for the PRA is that we intend to be focused. I dont mind being intensive and intrusive when we needto be, but the fact of the matter is that we need to be focused. This refocused approach to prudential regulation has a clear implication for the firms that the PRA supervises: internal controlsneed to be robust. It is important that the regulator doesnt try to substitute for
14
We do want to see the internal audit profession taken seriously within theinstitutions that we regulate. We want it to have an appropriate profile and thereby bolster the standing of theprofession, because it is important
them, Bailey says. But, if it is doing its proper job, the controls within these firms also need to be doing their proper job. And that is why I am very keen that we include on the agenda of changes the role and effectiveness of internal audit. He admits that he does not have an internal audit background. I cannot preach on this subject from a technical perspective, but I talk quite often to the internal auditor ofthe Bank of England, Stephen Brown, who is good value on these subjects. We find ourselves very much in agreement. Yet he does draw lessons from the changing role of internal audit within the Bank itself. We have tried to ensure that the
It is very important to maintain the clarity that internal audit does not work for the regulator, but for the firm
While some of what I say might sound a bit harsh, there really is good intention here
governance of the audit and risk committee of the Bank is properly aligned so that the members can raise their concerns and get effective action, he says. But there is a considerable degree of scepticism among supervisors at the FSA that this is true among all major institutions today. Bailey does not pull his punches here. There is scepticism about the level of influence that internal audit is able to exercise. There are a number of strands that we want to tackle, he says. Are the internal audit functions effective in their own right? Isthe governance effective in allowing internal audit to play its proper role? Its not only a question of having really good people; its also of whether the governance is
appropriate so that internal audit is taken seriously. Is it able to operate effectively? Dosenior executives and the board take it appropriately seriously, rather than regarding it as a bit of a nuisance? Does internal audit feel that it can raise concerns and get action? Is it properly regarded as acontrol function rather than as a consultancy? Is there a sufficient challenging of the established ways of doing things? These are all tough questions, but Bailey is quick to stress that he is not picking on internal auditors. While some of what I say might sound a bit harsh, there really is good intention here. We do want to see the internal audit profession taken seriously within the institutions that we regulate. Wewant it to
have an appropriate profile and thereby bolster the standing of the profession, because it is important. This is why Bailey foresees and wants much better communication and a stronger partnership between the PRA and the internal audit profession. Its not that there has been a poor relationship before; its merely that there hasnt been one an observation that he regards as interesting and possibly strange . So he intends to do something about it. We should work with the profession to encourage the objectives that we want. In a helpful coincidence, the two parties have got a meaty issue to chew on: the proposals coming from the Basel Committee. Bailey has had several conversations with the IIA and will have more, particularly as the FSA/PRAs proposals and the Basel proposals start to come together. Does Bailey share the IIAs view that the current Basel recommendations are too prescriptive? His reply gives a flavour of hiswillingness and desire to listen and engage with the internal audit profession. It may be true that they are too prescriptive. If so, the only way to deal with this is to have a very effective relationship and communication with the profession where it can say: Thiswouldnt work, but this might. We are open to ideas on this one. There is not a well-formed view.There is more a diagnosis of the problem than there isa mapping of the solution. It is one of thoseissues that the crisis has thrown up thatwe must do something about.
15
Parallel worlds
There is one aspect that he has extremely well-formed views about, however, and thatconcerns the relationship between the regulator and internal audit.
{
We all know Andrew Baileys name. Or, rather, we all know hishandwriting. Itshis signature that we see on every bank note, owing to his stint as chief cashier of the Bank of England
It does seem to me important that internal audit is not a low-paid backwater. If it is, it cannot be effective
16
It is very important to maintain the claritythat internal audit does not work for the regulator, but for the firm.The regulator will want to see that internal audit functionseffectively, in both a technical andagovernance sense, and that what it says is taken seriously and acted upon. Whatis important in my mind is that the regulator does not substitute itself for the internal auditor in the doing of it. We are hereto bolster the standing of the internal audit profession. The role of bolster, not substitute could indeed apply the other way around. Bailey sees parallels between his own world and that of the internal audit profession. Being an internal auditor in a complex financial institution is a highly skilled role. I wonder whether the profession gets the credit it deserves and is able to recruit the people it will need to do that, given that there are more glamorous and well-paid jobs available. Its a bit like us, really we have that in common. Itdoes seem to me important that internal audit is not a low-paid backwater. If it is, it cannot be effective.There has to be a right balance. It is the same challenge that we as financial regulators have with our own staff. Remuneration has to be structured
correctly and it has to be sufficiently attractive for the right sort of people. In the end, of course, Baileys bailiwick extends only so far, while internal audit covers the whole spectrum of corporate life. But the profile and economic importance of financial services let alone the harrowing and complex experiences that the industry has faced in the past five years gives this
newrelationship a particular significance. Internal audit has a new supporter who will bring focus and intellectual rigour to his dialogue with the profession. And his first port of call will be the IIA. The institute understands the need for internal audit to be more effective in complex financial institutions, he says. Were very keen to work with it to push that forward.
Operational executives can get overwhelmed by thenumber of risk reports passed up to them from differentdepartments all trying to provide assurance
18
2 3 4 5 6 7
9 10
Consider the big picture first and identify where to start. Form a crossfunctional team or committee. Define roles and responsibilities early in the process. Beware of building another silo. Get the processes worked out beforeinvesting in newtechnology. Seek out overlaps and build efficiencies. Create a common language and understanding concerning risk. Look for ways of converting compliance expenses into broader businessbenefits. Dont lose the detail in the convergence process. Remember thatintegrated assurance is a gradualprocess.
Better together
Words: Neil Hodge
This approach promises several advantages: overlapsand gaps in risk assessments and controls are more easily identified; costs can be reduced; and information is more effectively shared and acted upon. Whats more, assuranceproviding functions such as HR, legal, IT, finance, risk management and internal audit can all agree a common view of risk and how it should be reported to the board. Unsurprisingly, such benefits are prompting more organisations to consider adopting an integrated assurance framework. Both executives and regulators seem to favour the approach, according to KPMGs recent survey, The convergence evolution , which found that these two groups are the key drivers for more integrated assurance. External auditors and investors were seen to follow closely behind. Why integrate? According to the survey, the increasing appetite in integrated assurance is largely down to a desire to reduce risk exposure and the need to tackle overall business complexity.The results suggest that, for 16 per cent of organisations globally, governance convergence should result in a long-term cost reduction. Experts believe that integrated assurance can simplify risk reporting and prevent executives from getting assurance fatigue . Ian Beale, senior director of the corporate integrity practice at consultancy Corporate Executive Board, says: Operational managers and executives can get
For a growing number of organisations, the keyto effective governance is to identify which departments provide assurance on risks to the business and then get them to collaborate.
overwhelmed by the number of risk reports thatare passed up to them from different departments all trying to provide assurance. These reviews distract teams, repeat questions and leave behind multiple action plans. It is littlewonder that some directors have difficulty aligning all these risks and prioritising them, particularly as the way they are reported can differ widely. Some believe that greater coordination between assurance-providing departments willalso help to improve governance overall. JoeCollins, an independent risk assurance and governance consultant who has worked as an HIA in the energy sector, warns that audit committees and boards are at risk of getting a patchwork quilt of assurance if reporting is notbetter integrated. Theres a real danger that functions that arediligently setting up best-practice standards for employees to follow such as HR, IT and legal are conducting only limited checking to see whether these are being complied with, butare nonetheless assumed to be providing effective assurance by the audit committee, board members and executives alike. As a result, both executives and non-executives can think that the associated risks are being controlled effectively when they may, in fact, not be, Collins says. Anintegrated assurance framework would helpto highlight these deficiencies and internalaudit therefore has a vital role to play in making sure that the
19
20
assurance that these functions are providing and, critically, what they are not is actually understood, he says. So far, regulators around the world have encouraged organisations to consider adopting an integrated assurance framework, but have not made it mandatory (South Africa is an exception: its code of governance principles, known as King 3, advocates a combined assurance model to provide a coordinated approach to all assurance activity). But several industry standards and best-practice guidance documents promote integrated assurance as a viable option. Auditing guidance and standards such as AAF 01/06, SAS70 and ISAE 3402 which require outsourced service providers such as third-party IT specialists to have a mechanism for providing independent assurance for their clients are bringing assurance providers together. Coordination of assurance is also occurring in the public sector. For example, the 2006 Audit Commission document Taking it on trust encourages hospital trusts to review and increase the assurances they receive from sources other than internal audit, including clinical audit to ensure that their full portfolio of risk is covered. More recently, the 2010 HMTreasurys strategic improvement plan for internal auditconsultation stated that a prerequisite for a high-performing internal audit service is that stakeholders must understand all major risks and their related assurance needs, and actively support an integrated assurance process to increase focus, reduceduplicationand eliminate unnecessary cost over assurance . The IIAs International Standards alsosupport the idea of effective coordinationamong assurance providers. PerformanceStandard 2050 Coordination states: The chief audit executive shouldshare information and coordinate
When you integrate, the organisation needs to agree the new rulesof the game
Courses and resources
The IIA offers courses on assurance mapping, run by James Paterson PIIA. Assurance mapping: the foundations , will take place in York on 18 May and 11 September (details can be found at bit.ly/GXrVqv), while Assurance mapping driving further benefits will take place in London on 12 September (more details at bit.ly/HlM9L8). The IIAs Certificate includes an award on integrated assurance that can also be studied as a standalone two-day course. For details, goto bit.ly/HgfPet and bit.ly/GZtLUS The IIA and Global IIA have issued useful guidance to help internal auditors provide better assurance. These documents include: New practice guide on coordinating riskmanagement andassurance (bit.ly/GZNoj7). 2011 practice guideon reliance byinternal audit onother assuranceproviders (bit.ly/GXsIaN). Guidance on coordination of assurance services (bit.ly/GW1GOU).
activities with other internal and external providers of assurance and consulting services to ensureproper coverage and minimise duplication of efforts. The IIA and IIA Global have also issued professional guidance on coordinating assurance to improve risk reporting and management (see panel, left) for more details on relevant courses and resources). Getting it right Internal audit practitioners are certain that integrated assurance is the right way forward. James Paterson, PIIA, director of consultancy Risk & Assurance Insights and leader of the IIAs courses on assurance mapping, believes the secret to its success is sharing with key stakeholders information, processes and controls that are already in place. Crucially, he adds, effective integrated assurance should also include management activities and not simply reports from assurance providers. If an audit committee member has concerns about a key project, an assurance approach would be to consider getting the accountable manager to report how risks are being managed rather than asking internal audit to do an audit of the project, Paterson says. Internal audit would then get involved
These projects can take a lot of time to put into place and to get right. They require strong leadership and coordination
if there were still concerns remaining after that.This approach helps to enhance accountability for risk and control across the organisation, making the best use of existing resources and, over time, improving the robustness of assurance from other sources, he adds. Paterson says that the first steps in providing an integrated assurance model are to agree a sensible scope (including a definition of important terms such as key risk); to clarify the benefits that are being sought; and to determine what level of assurance is going to be provided either reasonable assurance or full assurance , for example. When you integrate assurance activities,the organisation needs to agree the new rules of the game governing what information is key and what is less important, he says. Otherwise, it becomes a subjective almost political document that will not really improve assurance or deliver any lasting benefits. John Harvie, director at internal audit and risk management consultancy Protiviti, says that it is important to coordinate how risk is reported upwards, which means agreeing on the same terminology and how the approach should be embedded. It is the chief risk
officers job to make sure that there is a shared view of risk and risk reporting so that the way that risks are relayed to the board such as using the traffic light system or grading by numbers and so on is consistent.The head of internal audits role is to ensure that these processes are understood and followed properly, he says. Ian Beale adds that the heads of assurance-providing departments need to keep regular contact and share information openly to prevent overlaps or gaps in risk reviews and reporting from occurring.To achieve this, organisations need to conduct assurance mapping to ensure that the approach is coordinated properly and reporting lines are made clear. An assurance map will identify areas where there are gaps and duplication, which assurance providers will need to discuss and resolve, Beale says. That discussion can help to clarify the boundaries of each assurance provider, while also giving the board the opportunity to determine whether adequate and reliable assurance is planned and being delivered. Easier said than done Yet evidence suggests that integrated assurance is far from easy to achieve. KPMGs survey has found that only nine per cent of organisations globally believe that their governance, risk and compliance activities are fully integrated into their business strategies.The main barriers to success they cite are the complexity of managingsuch a project; a lack of resourcesand expertise to do it; and poorly defined benefits. Furthermore, a professional guidance note released by the IIA in 2010 reported that 20per cent of HIAs had found that different terminologies and methods of providing assurance between departments had hindered their efforts to integrate assurance.
All too often I see assurance maps that look colourful, but dont really add any value
Meanwhile, 39 per cent of respondents said that under-developed risk management frameworks were a key problem and 34 per cent blamed the fact that no one would take ownership of the programme. Paterson also believes that few organisations have implemented combined assurance in a way they are happy with and that assurance maps can be flawed. All too often I see assurance maps that look colourful, but dont really add any value or tell you anything new, he says. I see too many organisations trying to map the world when youre much more likely to succeed if you carry out an assurance mapping exercise in a focused way, with a clear idea of the practicality of what is to be done and the benefits that will be obtained. Industry sectors that are leading the field, he says, tend to be those that are more heavily regulated, such as financial services, utilities, pharmaceuticals and some public-sector bodies. Clearly, where there is an external driver to explain to regulators how the assurance jigsaw joins up, it provides an impetus to take action, Paterson says. Further, it encourages a focused scope, which is one of the most important things to manage when you are working on a joined-up assurance model. Although embedding an integrated assurance framework may not be as simple as some practitioners would hope, few dispute the potential benefits. These projects can take a lot of time to put into place and to get right, says Joe Collins. They require strong leadership and coordination from the outset, executive support, a set ofshared goals and an agreed timetable. But,if you take a methodical approach, the potential benefits can be properly realised.
21
Read more about KPMGs The convergence evolution survey on page 10 or visit bit.ly/KPMG_Convergence
22
23
On the house
The extent of the losses uncovered is staggering, especially for an industry that measures its annual gross revenue in the billions.There is a growing awareness that the problem is bigger than anyone wanted to admit, says Brad Bonnell, director, global fraud control group, at InterContinental Hotels Group (IHG). People have tended to think of fraud as a series of incidents to react to, rather than something that can be prevented, adds Jim Gee, director of counterfraud services at PKF and chairman of the CCFS. If all you do is react, youve already incurred losses and it can be very difficult to get that money back. But, while the scale of the overall losses are worrying, the report also highlights the fact that they vary
24
makes them particularly vulnerable to fraud, especially occupational fraud, Bonnell says. Managing the cost of fraud therefore requires a more strategic approach than it would in, say, a retail business, which has the luxury of being able to send the employees home and close the doors while the receipts are counted. The industrys frequent use of subcontractors also increases vulnerability, especially in hotels for which event management is a big part of the business, says John Burbidge-King CEO of Interchange Solutions, a firm that helps companies to mitigate bribery and corruption risk. Hotels, he says, should ensure that they know the background of everyone who works in or with their business. Companies may put prospective employees through the third degree, yet the only thing they know about their suppliers and subcontractors is who the sales representative is. Burbidge-King says. Subcontractors should be vetted, sensibly and proportionately to the risks. Cash is also often freely available in hotels and credit cards are used extensively. Hotels need to equip both their employees and subcontractors with the tools and resources to do their jobs properly and keep things running smoothly.Yet this approach is fraught with risk and means that trust is at a higher premium in the hospitality industry than it is in many other businesses.That applies from the chambermaids and
Were seeing businesses increasingly treat fraud as a business cost like any other
The data that we use tooperate our business, can, once intercepted, easily be converted forpersonal use
receptionists right through to senior managers, Bonnell stresses. The most costly form of fraud, but also the least common, is actually that committed by a senior-level executive, who can divert money to their personal use through fraudulent business reports, he says. This type of crime is less likely to occur ina larger hotel chain owing to some higher level of segregation of duties andmultiple levels of financial oversight. Another factor behind the growth in fraud in the industry is the use of web-based systems for managing reservations, commissions and frequency marketing programmes. Thedata that we use to operate our business can, once intercepted, be easily converted for personal use, Bonnell says. System controls to protect our data and intelligence are often not put into action. well protected organisations areagainst the cost of fraud to their businesses. The worst-protected organisations can be seen to loseten per cent or more, while the best-protected ones lose 1.5per cent or less, Gee says. Ifyou simply look at fraud as something to react to, then not only the fraud but also the investigation costs you money. And, if it goes to court you risk having your reputation and credibility damaged. However, were seeing businesses increasingly treat fraud as a business cost like any other something to be measured, managed and minimised.
And fraud can be tackled effectively at little or no cost. The starting point has to be putting in place a policy that articulates senior managements expectations concerning fraud, says Bonnell, whose strategy at IHG is proactive, consisting of fraud governance, prevention, detection and investigation. IHG aligned its internal audit function with its risk management internal security and investigation group, and has sought advice from expert organisations such as the CCFS, the Association of Certified Fraud Examiners and the American Society of Industrial Security. Ithas also shared best practice
and experiences with peers inthe travel industry airlines inparticular. These efforts highlighted, for example, the potential benefits of systematicdata analytics or datamining of large databases to identify and isolate obvious indicators of fraud. Considering the enormous amount of data that a hotel has to process and manage, what are actually quite obvious indications of fraud can be missed if you dont look hard enough or in the right way, Bonnell says. Internal audit can also play a key role here, with invaluable work such as correcting the systemic defects that contributeto fraud. If equipped to perform forensic auditing, theinternal audit group, joined with investigations, will produceimpressive results, says Bonnell, whose internal audit function has evolved into what IHG has come to view as a vital asset . He adds that internal audit can be critical in conducting the threat assessment. That will, ifdone correctly, stimulate the appetite of senior management to invest in a robust and productive fraud control function, Bonnell says. Internal audit can also measure the effectiveness of a counterfraud strategy to ensure that priorities are properly aligned. That success can be measured, in part, through metrics generated by a hotels whistle-blower hotline and the data analysis programs. An alliance with internal audit, corporate legal and risk
management could produce, at very little cost, a reduction in loss to fraud that could be measured in millions or tens of millions of dollars, Bonnellsays.
Dirty laundry
Fraud may be a thorn in the side for hotels and guest houses, butits far from a new problem. So why ramp up efforts to manage the risk now? Bonnell cites recent legislation such as the SarbanesOxley Act, the UK Bribery Act and the Foreign Corrupt Practices Act as reasons to take a harder line. Because businesses are now held to a higher level of accountability concerning the integrity of their financial controls, they have to demonstrate transparency concerning fraud management, he says. This is forcing the hotel industry to look in the mirror. In their global analysis of fraud across a wide range of sectors, PKF and the CCFS found the overall losses incurred by businesses to have increased since the start of the recession a trend that Gee believes is in keeping with past economic crisis. Fraud is the last great unreduced business cost, he says. There is no better time to set about reducing it than in the current difficult macroeconomic climate, where the financial benefits can reinforce the health and financial stability of the hotels sector. The full PKF report can be found at bit.ly/y5W9by
25
{
Have you heard the one about the Kit Kat and the orang-utans? Its not a joke, actually. In 2010 the environmental campaigning groupGreenpeace accused Nestl the maker of Kit Kat of using palm oil supplied by a company that was destroying the habitat of the endangered primates. Spearheading the campaign against the confectioner was a made-for-YouTube video featuring a bored office worker eating a Kit Kat that oozed fake blood. Mere weeks after the YouTube video was posted and 200,000 complaining consumer emails later Nestl released a statement about itscommitment to tropical rainforests and announced a new partnership with the Forest Trust. Within two months of the campaigns launch, Greenpeace reported: Youll never guess what: Nestl has only gone and agreed to our campaign demands. In an era when reputation is all, Nestl acted quickly and decisively to close down a negative story that threatened to blight one of its leading brands. Theres no question that reputation is a powerful factor. Someorganisations flourish on thebasis of glowing reputations Amazon and John Lewis are goodexamples. Others have the opposite experience think
Everything we do can potentially have an impact on our reputation, either positive or negative
NewsCorporation and the News ofthe World. But what exactly is reputation, anyway?
Permission statement
Its quite hard to pin down a consensus on what reputation really means. Its variously described as a business asset to be safeguarded; a subjective composite of perceptions about an organisation; and the consequence of long-term work on building trust. In truth, its all three and more. For Richard Anderson, chairman of the Institute of Risk Management, Its what gives us permission to go out to the market. And, if we blow our reputation, we blow that permission. By way of explanation, he cites the example of BP . Had the company had less of a reputation before it went into the Gulf of Mexico disaster, it would not have survived. It did so because BP had a deep reputation and the financial resources that made people believe that it would be able to manage its way out of that situation. In that instance, then, reputation was like a licence to continue trading. For Anderson, who is also the managing director of Crowe Horwath Global Risk Consulting, reputation is also a kind of capital that organisations build up. Your reputation is intimately linked with trust, he says. And reputation and
26
When your name is dragged through the dirt, it can take a long time to get it clean again. We ask if organisations are paying enough attention to reputation risk and where the main threats lie.
Words: Wilma Tulloch
Mud sticks
27
{
trust give you permission to be in business. Estimating how much a reputation is worth is equally problematic. But Jean-Paul Louisot, professor of risk management at Universit Paris 1 Panthon-Sorbonne, has a very precise answer. He quantifies reputation as the difference between an organisations physical asset value and its market price. By that reckoning, reputation has a significant economic impact, representing probably between 60 and 70 per cent of developed countries wealth , he says. Its a startlingly high value, but it chimes with research from public relations firm Weber Shandwick. It surveyed 950 business executives worldwide, who strongly agreed that 63 per cent of a firms market value is attributable to reputation. These are big numbers, but why not? After all, a positive reputation goes a very long way. It improves relationships with stakeholders and helps with recruiting and retaining the best employees. It creates a more favourable environment for investment and access to capital. It attracts the best suppliers and customers. It reduces barriers to developing new markets. It helps organisations to charge premium prices. And it reduces the likelihood of litigation and punitive regulation. No wonder its important. As a consequence, organisations in general and risk managers in particular need to ask themselves if they
Reputation has a significant economic impact, representing probably between 60 and 70 per cent of developed countries wealth
are paying reputation as much attention as it deserves. Or are we, as Louisot suggests, all but ignoring the source of two-thirds of our organisations value?
28
For internal auditors, the important thing is to ensure that reputation stays on the radar
organisations appetite for risk, Im considering several things, says Anderson. Im looking at its capacity for managing risks in terms of having the skills and the knowledge. Im looking at its capacity to manage risks in terms of financial resources. Im looking at the organisations capacity in terms
of having the necessary infrastructure and Im also interested in its capacity to manage risk in terms of its depth of reputation. Having that asset of reputation behind you is one of the important aspects in determining how risky you can be in determining how you pursue your business. For internal auditors, the important thing is to ensure that it stays on the radar. Its about
Had BP had less of a reputation before it went into the Gulf of Mexico disaster, it would not have survived
29
challenging the organisation, Cain says. Start with what your organisation is trying to achieve. Find out what people think aboutits reputation. Is it an assetthat they are trying to manage, is it merely appearing as a risk or is it not really appearing at all? And make sure that, whatever management thinks is happening, you can actually provide some assurance that that is the case.
Anderson adds: Organisations have to ensure that they understand what drives the building or the destruction of reputation, just as they have to ensure that they understand what drives performance and what builds shareholder value. Then you can start to look at the risks that have an impact on those reputational drivers. Cain and Anderson agree that internal auditors are ideally
placed both to see how reputation is handled across the business and to raise its profile in the right places inside the organisation. Above all, the profession needs to understand its importance. Since internal auditors are increasingly moving away from financial audit, reputation really ought to be one of their key focuses, Anderson says. Thats because its a major component of shareholder value.
31
have these fears, but its important to remember that the audience is on your side. We teach you how to work through the audience a little at a time. This piecemeal approach is essential, he explains, because to take a complex audit report and present it verbatim simplydoesnt work. We encourage peopleto break their presentation down intosmall, logical elements and then rehearse each of them until these can be delivered with confidence. Dormer tackles the beginning and end first and then works on the tricky bits in the middle. We start with the introduction, which is often the most difficult element, because your mind is buzzing with worry and embarrassment, he says. Once people on the course are polished at making
Career development
When it comes to achieving success in exams, knowledge is not everything, says John Chesshire.
more than one dimension, he points out. For example, a question might ask you to list four risks and then to describe the appropriate mitigation of those risks. Often candidates will answer the first aspect but forget to address the second. The workshop is designed to give candidates confidence that they have all the skills they need to do their knowledge justice. As well as highlighting the common pitfalls, it provides some usefultips on preparing for and takingexams. There are various thingsthat candidates can do to boost their chances of success, Chesshire explains. For example, before even turning over the paper its a good idea to write down all of the things you have been desperately trying to remember.That information is then down on the paper should you need it, so that you can focus on the job in hand. He also advises candidates to consider the order in which they attempt the questions, because simply working through the paper in sequence may not always be the best approach. Almost all papers have a compulsory first section, based on a scenario, followed by a section where you typically have a choice of three questions out of four. Id advise going to the
32
Be as disciplined as possible, setting aside some time specifically for your studies
second section first and tackling the two questions you feel mostconfident about, he says. That gets you into the exam frame of mind and boosts your confidence before you tackle the more challenging elements. Effective preparation is, of course, crucial.This should include ensuring that you know whats on the syllabus as well as gaining an understanding of what the examiner is looking for. Past papers can prove useful here, according to Chesshire. While each paper is slightly different and has its own character, they can help you to get an idea of the style of approach of the examiner, he says. Knowing what to expect can build confidence and you can also practice the papers against the clock. But he cautions that answers provided in past papers should be seen only as a guide: If your answers are different, they arent necessarily wrong. Candidates can learn a great deal from colleagues who have taken the exams, as well as from their tutors. Many students are not demanding customers, so they fail to make the most out of this resource or the more local assistance thats available to them, Chesshire says. For many IIA members, simply coping with the volume and pressures of study alongside their professional duties will be the biggest challenge. Be as disciplined as possible, setting aside some time specifically for your studies, and make sure that you also take some days off, Chesshire advises. Approaching your exams in a methodical way, little by little, can greatly improve your chances of success. For more information about the workshop or to book your place, email learning@iia.org.uk
You asked us
Our technical helpline provides valuable advice to members on ahost of professional issues. Hereare some of the questions youve submitted recently.
Q. I recently presented my annual opinion to the audit committee and it has requested that I be more explicit about why I gave the opinion I did. The CEO said she felt that my opinion needed more context, with more on the positive things that have happened in the organisation, such as improvements in financial reporting. While I agree about the importance of presenting a balanced view, I dont feel I can or should comment on matters I cant substantiate from my audit work or dont have evidence to support. Should the annual opinion rely only on internal audit work? A. Im encouraged that your organisation is taking so much interest in the opinions you give.It is a positive sign that you have a high profile and that the work of internal audit is understood and appreciated. Supporting your opinion with brief referenceto the individual audit engagements and the highlightsfrom these will put your opinion in context and helpto highlight the priority of the issues involved, so it would be a positive step. I appreciate that balance is required and that acknowledging improvements is a good thing, but I agree that it would be risky on your part to refer to these without validation. I would include assurances from management or other assurance providers only where you can substantiate the improvements that have been made. But I think you have a few options.You could include a section (perhaps after the opinion) that recognises what management has done, indicating that you havent been able to validate this yet, but will provide assurance to the next meeting of the audit committee, building that work into the early part of your new audit plan. Alternatively, you could have early discussions with management or other assurance providers about your opinion that would allow you to make some validation of key or high-priority changes.The practicalities of doing either would have to be thought through and you may come up with a better option. But arriving at some form of solution without compromising your principles has to help your relationship with senior management and theaudit committee. Q. Do you have any advice on what a risk management strategy document should contain, as we have been asked to review the strategy document and provide advice? A. I suggest that you have a lookat our risk management page in the resource library at bit.ly/IIA_Risk.There are documents in the approaches section that talk about how to develop a risk strategy.There is no right or wrong way, but I would recommend the HMTreasury Orange Book and ISO 3100. Q. Is it compulsory for an internal audit function, irrespective of its size, to comply fully with the IIA Standards? Is it acceptable to state which standards it partially complies with and which it doesnt? A.There are three elements to the International Professional Practices Framework: the Definition of Internal Auditing, the Code of Ethics and the International Standards. All of these are mandatory and apply to all internal audit activities, regardless of size. Having said that, IIA Global has recognised that some small internal audit activities may have problems and has recently published a practice guide to help small teams interpret and cope with the standards. It might be useful to look at that if you work in a team of five people or fewer. To answer the second part of your question, the standards are principles and are open to interpretation, so some flexibility is allowed. It is also reasonable to identify a specific point at which you partially comply, but
Q&A
are working towards full compliance, forming a plan as to how and when you will achieve it.This should be discussed with your audit committee and senior managers, as they are best placed to help you interpret how the standards can be applied. In fact, Standard 1312 requires you to do just that: When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the non-conformance and the impact to senior management and the board. As the standard suggests, whether it is acceptable for you to partially or not comply depends on the impact this has upon the organisation.The standards are not simply rules; they are principles designed to help you deliver a valued service. It makes sense, therefore, to work this out with the people you are supporting. Got a question? Contact Chris Baker onthe IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk
33
Student noticeboard
Student noticeboard
Essential information for exam candidates. Visit the student information centre at www.iia.org.uk for updates.
CRMA the new mark of distinction
IIA Global has launched a newprofessional certification: the Certification in Risk Management Assurance (CRMA). This is aimedat experienced internal auditors and provides international recognition for expertise in delivering assurance on risk management, governance andstrategy. The CRMA is available to IIA members for a limited period viaa professional experience recognition route. This means that, until the exam becomes available in 2013, members can gain the accreditation solely on the basis of their existing qualifications and experience. Toachieve the CRMA, a total of 155points are required, based on the following criteria: First degree: 20 points. Masters degree: 25 points.
well-deserved recognition for all their hard work. Visit www.iia.org.uk/crma for further information.
the IIA website at bit.ly/FRtypt, along with the pre-exam instructions to candidates.
Authority-to-sit correspondence
Correspondence will be sent out to students registered to sit the June exams on 11 May. Candidates will be required to present a copy of this, as well as a photographic identification document, on entry to the exam room. If you have not received your correspondence by 18 May, contact exams@iia.org.uk or call the assessment coordinator, Aneta Zieba, on 020 7819 1928. Pre-exam instructions will also be made available on 11 May in the Student Information Centre at www.iia.org.uk. The authorityto-sit correspondence will remind students to read these instructions in the run-up to the exams. Further information about your exam venue is also provided on the Examinations page of the website.
34
Professional certification
(maximum 30 points): CIA, CCSA or CMIIA: 30 points. PIIA: 20 points.
Academic qualification
(maximum 25 points): A-levels or equivalent: 15 points.
Your CPD
The Qualifications & CPD section of the IIA website provides detailed information on the institutes CPD policy and members CPD requirements. One key requirement is that voting members monitor their professional development plans over the year. If you are a voting member, please take a look at the resources on the website and check that you are meeting your requirements. For more information, contact the CPD team on cpd@iia.org.uk or call 020 7819 1928.
the format of submissions. An updated version of the journal is now available at bit.ly/GAj6Sv. Section 5, Completing your reflections , includes additional information on how students may approach documenting their evidence, with a further example given covering the IT basics competency.
14 May. Materials for the IIA Diploma accelerated route and the IIA Advanced Diploma will be published online in the Student Information Centre. Students will be reminded of the release via email on 14 May, so they should ensure that their contact details are up to date. Visit the My profile section of the Members home page at www.iia.org.uk.
Extenuating circumstances
Students who are taking the June 2012 exams and wish special circumstances to be considered should read the IIAs policy in full before making a submission. This can be found in the Regulations and policies section of the Student Information Centre on the IIA website. Chief examiners advise that the circumstances being cited by candidates should apply to the day of the exam. While some flexibility will beshown, consideration of a claim will concentrate on the possible effects that an extenuating circumstance might have on the day of the exam. Any circumstances that a candidate claims have affected
their preparation in the weeks or months before an exam and, therefore, their performance on the day, will be subject to rigorous scrutiny. Students who wish to submit details of extenuating circumstances occurring on the day of the exam must do so to the IIA within two weeks of the exam date. Correspondence must be accompanied by documentary or supporting evidence in accordance with the requirements of the policy.
35
IIA UPDATE
36
Quality services
The IIA recently introduced a range of quality services (see Raising the bar in the March/ April issue), which it developed in response to demand from members. To support and enhance these new services, ithas produced a range of guidance and documentation, including a free self-assessment checklist, which members can download. For further details visit bit.ly/QualityServices. If you would like your organisation to be one of the first to benefit from an IIA external quality assessment andtake advantage of an introductory discount, email technical manager Chris Baker at chris.baker@iia.org.uk.
May
8-9
IIA award in the effective delivery of audit and assurance London
18 22 23
June
12
HIAS: Auditing HR risk a professionals perspective London
19-21 tbc
10-11 10
IIA North East: Driving business value and enhancing internal audit practice Sheffield
Keith.morgan@abbotel.com
37
July
5
IIA Midlands Annual Conference: The challenge of change Belfry, Wishaw, Sutton Coldfield
23-24
15-17 16
24-25 24-25
19
17
Improving audit reports for senior practitioners and heads of internal audit London
IIA South West: Annual conference auditing in an increasingly demanding environment Hilton Conference Centre, Congresbury
Email: john.thomasson@iia.org.uk
Charities Internal Audit Network: AGM and quarterly meeting Charities update and risk management LONDON
info@cianonline.org.uk
17
Retail Audit Forum Meeting: Themed around computer-aided audit tools (CAATs), cost cutting and stress management University of Warwick
Email: john.beagan@brc.org.uk Tel: 020 7854 8921
25 29
Congratulations to the IIA members below, who were successful in the November 2011 exams.
The Chartered Institute of Internal Auditors is the only organisation offering recognised professional qualifications for internal auditors in the UK and Ireland.
In November 2011 the following students successfully completed the examined element of the IIA qualifications: IIA Advanced Diploma in Internal Auditing and Management examscompleted
Small, Colin Peter Smedmor, Christopher David Stirling, Alexis Stringer, Richard Stubbs, Bharati White, Pinar Woods, Tracey Wright, Daniel
Arora, Dimple Anderson, David Atkinson, Andrea Ann Atri, Sunita Sanjay Bailey, Robert Bamberger, Rupert Beckett, Kelly Marie Benmaamar, Sobh Belgrave, Natasha Brant, Andrew Bennett, Helena Breeze, Benjamin John Bertie-Snell, Pia Louise Brown, Stewart Beveridge, Francesca Cantwell, Grace Bolster, Peter Coogan, Stuart David Roy Bourke, Anna Cooper, Alan Bramley, Sharon Culverhouse, Steve Brooks, Elizabeth May Davies, Robert Bykova-Nimmo, Iryna Benjamin Lloyd Cheng, Kenneth Geeken Denny, Gemma Louise Clarke, Steven Ellis, Matthew Clayton, Tessa Fenn, Rowan Charles Clutterbuck, Simon France, Wesley James Richard Furness, Jon Antony Coleman, Susan Gray, Andrew Conchie, Ruth Elaine Greenbeck, Fiona Coughlan, Alexandra Hamilton, Andrew Coveney, Paul David Cox, Leisyen Harrold, Lee Peter Craddock, Victoria Meron Heaphy-Davies, Lindsey Crane, Lewis James Hewitt, Paul Crook, Emma Hinde, Katharine Cross, Helen Hopewell, Peter IIA IT Auditing Curtis, Peter Andrew Jones, Philip Charles Certificate exam Daire, Iain Kaburara, Kimuli Del Greco, Gabriella Kennedy, Kelly completed Antonietta Khan, Addiba Delorey, Nicola Kidd, Jonathan Hoy, Lindsey Miriam Dennis, Hannah Elizabeth King, Simon Richard Jones, Matthew Simon Dickson, Gavin Kenneth Kitchin, Julie Ray, David Alistair Fell, James Lamb, David Robert Rosser, Arran Steven Fiddes, Carolyn Lefevre, Irene Solomon, Martyn Colin Fraser, Heather Lennon, Julie Catherine Gilchrist, Laurie Jolyon Lourie, Matthew The following Girvan, Deborah McCaffrey, Orla students Griffith, Richard McHugh, Matthew Ian successfully Harris, Michele Jean Melluish, Helen Cheryl completed the Hazell, Philip William Miller, Adam following exams Heather, Alison Moloney, Kevin John in November 2011: Hetherington, Julie Momoh, Oluyomi Hussain, Zakir Murray, Debbie P1 The Internal Jackson, Craig Shaun Maria Louise Audit Environment Jackson, Peter Wesley Njolai, Eric SRS17337-BarSim-BannerStrip-May12:SRS17330-BarSim-DPS-Mar11 Jonas-Nartey, Jocelyn Oldham, Justin Adeyemi, Abimbola Kapoor, Harleen Ooi, Justin Ali, Shiraz Kendall, George Povey, Alex Andrews, Daniel Mark Killen, Melanie Rashid, Shahid Kirk, Maureen Armstrong, Katie Robinson, Andrew Lawson, Susan Helen Arora, Dimple James William Lesware, Gillian Atwal, Jaswinder Kaur Sharman, Nicola Ann Lyons, Mark David Barrow, Gemma Maria Shephard, Kelly Martin, Mairead Rotsin Bolton, Melissa Marie Sheridan, Steven
38
Martin, Sebastian James McCarthy, Connor McNeil, Isobel Mcgregor Mearns, Vicki Mennear, Catherine Helen Louise Middleton, Karen Miles, Neil Mo, Simon Nicholson, Christian Mark Ovard, Neil John Peak, William James Pope, Robert Ravindranathan, Ramah Revell, Susan Rice, Michael Liam Richards, Lianne Richardson, Angela Robertson, Dorothy Russell, Robert Martyn Saxton, Nigel Scott, Gavin Denis Semken, Timothy Sharpe, Graeme Shepherd, Anna Shirley, Lana Simonite, Kyle Sloman, Anne Smith, Claire Smith, Karen Patricia Spilsbury, Grant Bernes Street, Anna Louise Tang, Adrian Taylor, Paul Thomas, Merina Tod, Graeme Duncan Willshire, Richard Wilson, Janine Wootten, Jenny Rose Worrall, Jennifer Helen Zacal, Sarah Lorraine Amy
Bramley, Sharon Briers, Imogen Brown, Steven Edward Brownley, Rebecca Louise Burke, Deborah Jane Byers, Matthew John William Clarkson, Barry Clewes, Joanne Elizabeth Coughlan, Alexandra Coughlan, Michelle Cox, Leisyen Cull, Barrie Arthur Dawkins, Carol Dawson, Carlien Doyle, Allan Duffield, Deborah Nicole Elliott, Nicola Leigh Enfield, Mark Evans, Craig Paul Fittall, Rachel Elaine Fuller, Daniel Goldsmith, Lorna Colbera Greenhow, Triston John Haggerty, Robert James Hainsworth, Richard Anthony Hampton, David Hardwick, Victoria Harris, Michele Jean Holden, Russell Khimani, Dharmila Kilcullen, Annette Koterba, Silvan Marko Lambert, Paul Le Grossec, Elisabet Le Roux, Lone Kirsten Leong, Meng-Chee Manson, Christopher John McCabe, James Alexander Middleton, Karen Millais, Joanne Denise OHalloran, Brid Oughton, Arthur Parnell, Fiona Jane Peak, William James Quirk, Johanne Elaine Roblin, Lloyd Scott, Gavin Denis Semken, Timothy Shah, Nalin Sharma, Surita Simoes, Pedro Sloman, Anne Southgate, Laura Street, Anna Louise Thomas, Alex Thompson, Natasha Tong, Jennifer Waters, Joanne Patricia Welsh, Robert Wyatt, John Martin 17/4/12 12:11 Yap, Felicia
Barker-Arnone, Emma Branston, David Brown, Steven Edward Byers, Matthew John William Bykova-Nimmo, Iryna Clarke, Steven Clutterbuck, Simon Richard Coleman, Susan Connolly, Angela Coveney, Paul David Daly, Michelle Del Greco, Gabriella Antonietta Dennis, Hannah Elizabeth Draper, David Patrick Dundas, James Enfield, Mark Etule, Raymond Evans, Julie Fell, James Gilbert, Hollie Gilchrist, Laurie Jolyon Girvan, Deborah Hampton, David Heather, Alison Heeley, Jessica Ruth Howe, Sarah Jayne Hussain, Zakir Jackson, Christopher Jackson, Craig Shaun Jonas-Nartey, Jocelyn Jones, Gregory Paul Kaur, Sharonjeet Kilcullen, Annette Killen, Melanie Le Grossec, Elisabet Lewis, Catrin Martin, Mairead Rotsin Masoeu, Kamohelo Matkin, Katerine May McCabe, James Alexander Newell, Katherine Julie Nicholson, Christian Mark Page, Michael Pap, Timea Pinch, Steven Robert Plaxton, Andrew Douglas Pope, Robert Powell, Gemma Kelsey Ravindranathan, Ramah Redward, Tim James Rice, Michael Liam Sharpe, Graeme Silver, Colin Simoes, Pedro Simonite, Kyle Smith, Adrian Brian Smith, Claire Spicer, Mark Spilsbury, Page 1 Grant Bernes Talwar, Kieran Tang, Adrian Thrupp, Michael Tod, Graeme Duncan Wilkin, Gary Andrew Wilton, Rebecca Ann Yap, Felicia Zacal, Sarah Lorraine Amy
P3 Internal AuditPractice
Ackred, Matt Richard Aitken, Anne Al Ruqeishi, Yasir Ali, Mohammed Kashem Ali, Shiraz Andrew, Stuart Atalla, Amanei Baldwin, Tanya Banu, Rahela Bennett, Helena Binnie, Andrew Booth, Darren Breach, Paul Jonathan Clewes, Joanne Elizabeth Coulthard, Rachael Daly, Michelle Eyre-Walker, Louise Firth, Adam Gilbert, Hollie Goldsmith, Lorna Colbera Grainger, Nicholas James Griffiths, Emma Elizabeth Hainsworth, Richard Anthony Handley, Lisa Harris, Heather May Carole Hedges, Sophie Jeffree, Andrew John Khanom, Kamrun Knapman, Kelly Leighton, Ruth Emma Martin, Sebastian James McCullough, Johanne Moore, Christopher David Mulligan, Kevin Neagu, Mariana Penlington, Mark John Rees, Andrew Rimmington, Mal Roberts, Linsey Saleem, Saqib Seymour, Rebecca Simonite, Kyle Smith, Lauren Thomas, Alex Varvill, Richard Vaughan, Peter Edward Velvick, Jonathan Virketyte-Lleshi, Inga Vose, Kathryn Ward, James Lee White, Jessica Willshire, Richard
Working with aspiring members of The Chartered Institute of Internal Auditors since 1989
Seymour, Rebecca Arrowsmith, Steve Shepherd, Anna Atalla, Amanei Silver, Colin Atwal, Jaswinder Kaur Smith, Frances Bailey, Robert Smith, Karen Patricia Baird, Barbara Smith, Lauren Baker, Janet Irene Stacey, Jane Peggy Baldwin, Tanya Swainson, Karen Ann Baranowska, Ilona Margaret Beckett, Kelly Marie Swift, Louise Marie Bennett, Helena Taylor, Justine Bessell, Robert Taylor, Paul Bolster, Peter Tillman, Alan Bourke, Anna Tong, Jennifer Briers, Imogen Turner, Julie Byers, Jessica Jane Vaughan, Peter Edward Collins, Jonathan Vicary, Yvonne Jane Colyer, Gary Colin Vipond Murray, Victoria Couch, Nathan Louise Counsell, Jennifer Virketyte-Lleshi, Inga Craddock, Victoria Meron White, Jessica Crane, Lewis James Willshire, Richard Cross, Helen Wilson, Charlotte Daire, Iain Wong, Maurice Davidson, Mark Scott Ian Dawkins, Carol P7 Internal Audit Delorey, Nicola Garner, Gemma Louise Practice Case Study Grainger, Nicholas James Griffiths, Emma Elizabeth Belgrave, Natasha Cheng, Kenneth Geeken Harris, Heather May Carole Clayton, Tessa Hayre, Baljit Conchie, Ruth Elaine Hazell, Philip William Crook, Emma Hazell, Stephanie Curtis, Peter Andrew Victoria Pamela Dickson, Gavin Kenneth Hedges, Sophie Fiddes, Carolyn Hetherington, Julie Griffith, Richard Howe, Sarah Jayne Kapoor, Harleen Jackson, Craig Shaun Mearns, Vicki Jackson, Peter Wesley Mo, Simon Jackson, Struan Rae Russell, Robert Martyn Jeffree, Andrew John Thomas, Merina Kendall, George Wilson, Janine Killen, Melanie Worrall, Jennifer Helen Knapman, Kelly Lambert, Paul M1 Strategic Lawson, Susan Helen Manson, Christopher John Management McMahon, Rebecca McNeil, Isobel Mcgregor Anderson, David Moore, Christopher David Ashmore, Victoria Morgan, Gail Beville, Paul Guy Morton, Eric Alexander Breeze, Benjamin John Mulligan, Kevin Brown, Stewart Mulvey, Keith Buwu, Selina Neagu, Mariana Cameron, Angela Neish, China Constance Chessman, Erica Anne OHalloran, Brendan Clark, Michael Mclean Christopher Clarke, Paula OHalloran, Brid Coe, Allan Edward Cox, Richard James Pap, Timea SRS17337-BarSim-BannerStrip-May12:SRS17330-BarSim-DPS-Mar11 P5 Corporate Davies, Victoria Anne Payne, Clive Governance Dodds, Clare Elizabeth Pinch, Steven Robert and Risk Furness, Jon Antony Ravindranathan, Ramah Georgiou, Koulla Renton, David Management Hamilton, Andrew Revell, Susan Aitken, Anne Hammond, Sarah Roberts, Linsey Al Ruqeishi, Yasir Kathleen Robertson, Dorothy Andrew, Stuart Harrison, Andrew Roblin, Lloyd
Chambers, Paul Geoffrey Clarke, Steven Clutterbuck, Simon Richard Cox, Leisyen Craddock, Victoria Meron Craven, Hilary Dawson, Carlien Del Greco, Gabriella Antonietta Draper, David Patrick Elliott, Nicola Leigh Fanning, Nicholas Robert Fines, Barry John Franklin, Andrew Franks, Grant William Fraser, Heather Gallagher, William Paul Garden, Susan Jane Hardwick, Victoria Hazell, Philip William Heather, Alison Heaton, Rachel Ann Heeley, Jessica Ruth Hussain, Zakir Hutchins, Alice Christine Jackson, Craig Shaun James, Derly Eliana Kendall, George Kirk, Maureen Lesware, Gillian Lewis, Catrin Lucas, Kane Anthony Lyons, Mark David Matkin, Katerine May Mennear, Catherine Helen Louise Miles, Neil Morton, Eric Alexander Nicholson, Christian Mark Osmond, Sarah Jane Ovard, Neil John Pope, Robert Ravindranathan, Ramah Renton, David Richards, Lianne Richardson, Angela Saxton, Nigel Sharpe, Graeme Shirley, Lana Spilsbury, Grant Bernes Swift, David Talwar, Kieran Tang, Adrian Ward, Theresa Rose Watts, Jenny Webb, Joseph Wootten, Jenny Rose Yorkston, David
Hirst, Matthew Kaburara, Kimuli Khan, Addiba Lennon, Julie Catherine Lockhart, Neil Harrison Long, Duncan Meehan, Anthony Melluish, Helen Cheryl Njolai, Eric Onslow, Natalie Jane OToole, Brendan Rai, Ramesh Rex, Michelle Roberts, Lisa Satheesababu, Sonya Sharman, Nicola Ann Shelton, Timothy Charles Shephard, Kelly Stirling, Alexis Trevallion, Nicola Louise Turner, Nadine Welsh, Wendy Teresa Wilson, Andrew John Wood, Claire Louise Wood, Matthew Woodward, Louise
M2 Financial Management
Ashmore, Victoria Barron, Francesca Helen Breeze, Benjamin John Burrage, Peter Cardwell, Mark Douglas Chessman, Erica Anne Clapham, Fred Coogan, Stuart David Roy Cox, Richard James Davies, Christopher Stuart Denny, Gemma Louise Ellis, Matthew George, Lisa Elizabeth Gough, Paul Hammond, Angela Dawn Marie Heppleston, Russell James Hinde, Katharine Hopewell, Peter Leung, Wai Liveston, Kirsty McCulloch, Andrew Bruce McHugh, Matthew Ian Miller, Adam Moloney, Kevin John OShaughnessy, Paula Proctor, Richard Murray Rashid, Shahid Robinson, Andrew James William 17/4/12 12:11 Smedmor, Christopher David Stringer, Richard Tariq, Moazzam Thomas, Craig Trevallion, Nicola Louise Tyrrell, David Willetts, Karen
Denny, Gemma Louise Ellis, Matthew Furber, Kathryn Gray, Andrew Greenbeck, Fiona Hadden, Catherine Margaret Hall, Mabel Mary Hamilton, Andrew Harrold, Lee Peter Heaphy-Davies, Lindsey Hedley-Smith, Martin Hewitt, Paul Hinde, Katharine Hopewell, Peter Jones, Philip Charles Kaburara, Kimuli Khan, Addiba Kidd, Jonathan King, Simon Richard Kitchin, Julie Lamb, David Robert Lefevre, Irene Lourie, Matthew McAteer, Kieran Anthony McCaffrey, Orla McGreevy, Samuel Gerald McKee, Alan Melluish, Helen Cheryl Miller, Adam Moloney, Kevin John Momoh, Oluyomi Murray, Debbie Maria Louise Oldham, Justin Ooi, Justin Povey, Alex Scott, Colin Alexander Sharman, Nicola Ann Shephard, Kelly Sheridan, Steven Small, Colin Peter Smedmor, Christopher David Stirling, Alexis Stubbs, Bharati White, Pinar Woods, Tracey Wright, Daniel To find out how you can become qualified with the IIA, call 0207498 0101, visit www.iia.org.uk or email studentsupport@ iia.org.uk Disclaimer: although every effort has been made to ensure the accuracy of the above information, the Chartered Institute of Internal Auditors accepts no responsibility for any errors or omissions.
39
Working with aspiring members of The Chartered Institute of Internal Auditors since 1989