Issue 5 May/June 2012

The magazine of the Chartered Institute of Internal Auditors

We want to see internal audit takenseriously inthe institutions that we regulate

The forward-looking agenda of financial services regulator Andrew Bailey

Issue 5 May/June 2012

Sharing the risk: towards a more integrated assurance solution Hospitality fraud squad: how the hotel industry could cut its losses Name calling: is your reputation bad for business?

Contents
26
Issue 5 May/June 2012

Issue 5 May/June 2012

The magazine of the Chartered Institute of Internal Auditors

We want to see internal audit taken seriously in the institutions that we regulate
The forward-looking agenda of financial services regulator Andrew Bailey

18

Sharing the risk: towards a more integrated assurance solution Hospitality fraud squad: how the hotel industry could cut its losses Name calling: is your reputation bad for business?

18
Published for the Chartered Institute of Internal Auditors byCaspian Media Ltd, Unit G4, Harbour Yard, Chelsea Harbour, London SW10 0XD 020 7045 7500 Editors Keith Ryan keith.ryan@caspianmedia.com 020 7045 7543 Alice Hoey alice.hoey@caspianmedia.com 020 7045 7554 Chartered Institute of Internal Auditors info@iia.org.uk www.iia.org.uk 020 7498 0101 Subscriptions membership@iia.org.uk 020 7498 0101 Advertising Ian Mehrer ian.mehrer@caspianmedia.com 020 7045 7596 Creative director Nick Dixon Art editor David Twardawa Opinions expressed by contributors are their own. Reproduction in whole or in part without written permission is strictly prohibited. ISSN 2048-8408.

22
Front
3 The IIA view
From the CEO, Ian Peters.

Features
12 A very prudent man
The incoming head of the authority thats set to replace the FSA, Andrew Bailey, explains his plans for internal audit to be taken seriously in the financial services industry.

REGULARS
31 Tools for the job
Resources, books and advice to help you perform.

5 World view
From Richard Chambers, IIA Global president and CEO.

32 Career development tips

Exam technique.

7 View from the top

From Steve Humphries, group head of audit at brewing giant SAB Miller.

18 Better together
How to achieve integratedrisk assurance in your organisation.

33 You asked us
Experts answer readers technical questions.

8 Update
The latest news affecting the profession.

34 Getting qualified
Crucial exam information.

22 Room for improvement

The UK hotel industrys losing battle against fraud.

36 IIA update
Institute news and membership matters.

10 Vital statistics
KPMGs survey of how firms are increasingly adopting an integrated approach to governance, compliance and risk management.

26 Mud sticks
Why it pays to safeguard yourorganisations reputation closely.

37 Courses and events

Key training dates for Q3.

38 Exam results

We post more news and articles online every week. To access these, visit www.auditandrisk.org.uk

View from the IIA

New regulation new opportunity

While a closer relationship between internal audit and the regulator may be necessary, as the Basel Committee proposals suggest, it is important that regulators appreciate the need for a balance.
Ian Peters, chief executive of the IIA

Its been 11 years since the Basel Committee on Banking Supervision issued its first set of principles for internal audit in the banking sector. The past few years, since the financial crisis began, have brought much change in the corporate governance world particularly in relation to banking industry regulation. It was, therefore, high time that the supervisory guidance for internal auditors was updated. Accordingly, the committee recently closed a consultation on proposals for a new set of principles to guide the supervision of internal audit in banks around the world. As part of its drive to create better corporate governance and efforts to help prevent another banking crisis, the Basel Committee is seeking to give internal audit functions in the banking sector more authority, stature and independence. Its proposals make clear reference to the IIAs International Standards and Code of Ethics and commend a risk-based approach to internal audit.These proposals are, therefore, to be welcomed on the whole. But our welcome does come with some important caveats. For example, the proposals reference to a risk-based approach to internal audit is at odds with some prescriptive recommendations about what must be audited and to what timeframe, particularly coverage of regulatory matters. And, while a closer relationship between internal audit and the regulator may be necessary, as the proposals suggest, it is important that regulators appreciate the need for a balance. Internal audits work with boards and executives needs to be as

effective as its work with external supervisors. Getting this balance right is crucial to effective corporate governance and the management of risk. The proposals should make the role of internal audit in banks more pivotal to good corporate governance. The right mix of technical and business skills within the internal audit team is essential to this. Attracting and retaining the right mix of people and skills is a function of remuneration, training and appropriate qualifications. Again, there is a need for balance here. On the one hand, remuneration must be adequate to attract the right skills

The right mix of technical and business skills within the internal audit team is essential
into the internal audit function. On the otherhand, it must not be structured in a waythat could be seen to compromise independence and objectivity. Effectively resourced internal audit functions also need the support of clear guidelines and working practices. And, while

the Basel Committee clearly exemplifies the IIAs International Standards in its proposals, extra sector-specific guidance to enhance these would be beneficial. If appropriately refined to reflect these points, the proposals represent a strong blueprint for internal audit in the banking sector.Their emphasis on greater recognition and support for the profession represents an enormous opportunity for internal auditors, banks, regulators, bank customers and the public interest. And it is providing a firm foundation for the institutes strengthening relationship with the UKs financial services regulators. Our interview with Andrew Bailey on page 12 reflects the growing recognition of the value that internal audit can bring. As the new head of the banking regulator, the Prudential Business Unit, which will become the Prudential Regulatory Authority in 2013, he is clearly welcoming of a closer relationship with the IIA and sets out a positive vision for the role of internal audit in banks. Our challenge as a profession and as an institute is to help turn that vision into reality.

READ MORE
You can view the IIAs full response to the Basel consultation in the Knowledge Centre at www.iia.org.uk

View from IIA Global

Skills whats in your toolbox?

Richard Chambers, president and CEO of IIA Global
Im old enough to remember when it was easy to prepare for a career in internal audit. The rules were simple: without a background in accounting or finance, you wouldnt even be considered for internal audit positions in many organisations.To get into internal audit, the quickest route was to gain a degree in finance or accountancy and then spend at least two years at a public accounting firm, preferably a large one. That was then; this is now.The old rules no longer apply.The difference in what is now required of internal auditors was highlighted by the results of recent IIA research. Its March2012 Pulse of the profession survey showed that, for the second year running, chief audit executives rated analytical and critical thinking as their most sought-after skill (73 per cent, compared with only 34 per cent rating industry-specific knowledge). As with so many things in this profession, its all a matter of risks. When we perform our risk assessments and make our plans, we sometimes become painfully aware that our internal audit groups may no longer have the skills to get the entire job done. A growing number of internal audit executives are finding that its time to rebalance the skill sets that their group can bring to the table. We are in a war for talent in which chief audit executives and heads of internal audit must balance the demands of the latest risk assessment against their current staff profiles and budgets.The war is complex and no one solution can solve the problem in its entirety. We need to recruit a wider variety of skills, but we also need to develop the skills of existing staff members so that they can achieve optimal effectiveness. At times, particularly when conditions are changing or when very specialised skills are necessary, neither of these approaches is sufficient and it can become essential to consider extra options such as guest auditors, co-sourcing or staff rotation programmes. Failure is not an option. One of the few audit sins worse than ignoring an area at the top of the risk assessment is performing an audit for which the auditors are not qualified.The reputation of a leading internal audit function may be gained at the speed of inches a year, but after a bad audit it can be lost at the speed of lightning. Under the International Standards for theProfessional Practice of Internal Auditing, the internal audit activity collectively must

One of the few audit sins worse than ignoring an area at the top of the risk assessment is performing an audit for which the auditors are not qualified.

Last years skillswill not beadequate for completing next years audits
possess or obtain the knowledge, skills andother competencies needed to perform its responsibilities. We all realise that internal auditors are no longer just bean-counters.Todays auditors still need to know how to count the beans, but we also need to understand how the beans are grown, harvested, marketed and shipped. Its impossible to know what will be demanded of internal audit professionals next year. But one thing is certain: last years

skills will not be adequate for completing next years audits. Our profession is changing faster than ever and we are all being affected by the changes. Internal auditors who have been practicing successfully for a decade or more are sometimes finding that they dont have the technical skills they need in order to be successful this year. Its time for each of us to take a freshlook at the tools in our auditing toolboxes. Each of us needs a strategic development plan to ensure that well stay relevant in the future. Luckily, keeping our auditing skills fresh has never been easier. Today there is an almost unlimited variety of seminars, conferences, college courses, online training events, workshops, chapter meetings and round-table events for internal auditors. Regardless of audit schedules, budgets or work locations, any determined internal auditor can find opportunities to improve their skills. Your career is in your hands its up to you to make the most of it. Most of us truly enjoy continuing education opportunities. But if you are one of the few who do not lookforward to improving your skills, just remember the words of Muhammad Ali: Ihated every minute of training, but I said: Dont quit. Suffer now and live the rest of your life as a champion.

For further information

Richard Chambers writes a blog at www.theiia.org/blogs/chambers and tweets at www.twitter.com/rfchambers

View from the top

Risks and rewards keep your eyes open

Stay smart, stay flexible, stay connected, keep listening Do things right every time and youll have happy stakeholders.
Steve Humphries, group head of audit, SABMiller
I think that internal audit has evolved considerably over the past 10 to 15 years. Ithas become much more professional and evermore relevant. It is seen in many companies as a genuine business partner with a valuable contribution to make to theongoing success of the enterprise. However, there are still greater differences in the quality andperformance of internal audit functions than you tend to see in other departments, such as finance, treasury, legal and taxation, so there is still room for improvement. But sofar, so good. As internal auditors, we should make sure that we cover the core assurance basics every time. By this I mean financial, operational and compliance risks. If you do this well, then you can build on this solid foundation, for example, by also looking at strategic risks. A review of strategic risks must feature in the plan of every mature audit function, but we need to approach this area with great care. A poorly prepared auditor who challenges the judgment shown by the chief executive or chairman of the board is very likely to be the auditor searching for a new career opportunity. We need to stay alert to changes in the risk landscape and challenge ourselves about whether our plans cover the most significant risks and whether we have the skills to address these. We need to ensure that we have an appropriate balance in the type of work we undertake, ranging from traditional rated audits to consultative pieces of work. All have their place in a successful audit function. Stay smart, stay flexible, stay connected, keep listening. And dont be seduced by the cyclical reinvention craze that sweeps across the profession. Do things right every time and youll have happy stakeholders. SABMiller has over 200 beer brands in more than 75 countries. Although we have a number of international brands in our portfolio, such as Peroni, Pilsener Urquell, Grolsch and Miller, most of our brands focus at a national level where they have market-leading positions. With such awidespread group, we need an excellent approach to risk management and we have it. Our risk reporting uses a carefully coordinated bottom-up and top-down approach, ensuring full participation from all levels of management. As internal audit facilitates large parts of the risk reporting process, we are able to rely on it as a key contributor to the global audit plan. This means that the plan includes local, regional and global elements of work. Its therefore fully inclusive. To expand on my fully inclusive comment: some risks to our business are region-specific and others are common across the globe. As an audit function, we need to ensure that we have appropriate responses to examine how these risks are being managed for example, responses to the rapidly growing markets in Asia, Latin America and Africa; to the markets in Europe and North America that have been affected by the economic crisis; and to developments in UK law that apply to the whole of SABMiller, such as the Bribery Act 2010. We need to be alert for any issue that could have an impact on our reputation and this includes the behaviour of all our staff. To execute the audit plan, I have access to about 140 internal auditors around the world. To ensure the consistency of how our work is executed, recorded and reported, we have one global method, a single audit management system and internal quality-assurance mechanisms to ensure that everything works as intended. Ialso periodically benchmark the performance of the team against those in other FTSE-100 companies. This is a valuable sense-checking exercise and I share the results with management and the audit committee. Its worth remembering this one simple truth internal auditors have the same objective as everyone that we work with: forour companies to be as successful as possible. It is not the auditors role to distract managers unnecessarily by focusing on irrelevant minutiae. It is our role to challenge them on how significant risks are being identified and managed. And to help them see the wood for the trees.

ABOUT THE AUTHOR

Steve Humphries has worked in senior internal audit positions in large multinational FMCG and wholesale distribution businesses for more than 20years. Theseinclude SABMiller, Wolseley, AveryDennison and Nestl. He is a memberof theIIAs newly formed Internal Audit Leaders Forum.

Looking for more? GO online

Visit www.auditandrisk.org.uk for more internal audit news and a range of resources to help you do your job.

UPDATE
Remote working risk guidance
The UK Centre for the Protection of National Infrastructure, which provides security guidance, has published a best-practice guide on managing remote working risks. Find out more by visiting bit.ly/ RemoteWork

We round up the latest business and regulatory news to affect the internal audit profession.
Risk investment improves bottom line
An organisations level of risk investment can affect its financial performance, a new report by Ernst & Young has found. According to its study, Turning risk into results , companies in the top 20 per cent of risk maturity where maturity was defined by the number of risk management practices applied generated three times more EBITDA than those in the bottom 20 per cent. Previously, says the report, senior executives may not have perceived risk management as strategic to the enterprise, or lacked sufficient confidence in their ability to identify and address the risks that could affect the financial performance, or eventhe viability, of their organisation. Our point of view is that companies with more mature risk management practices outperform their peers financially. Our client experience and study results strengthen that perspective, said Randall Miller, global advisory risk leader with Ernst & Young. You can download a copy of the study here: bit.ly/EY_Study

KPMG: risk reviews more frequent

Manufacturers and retailers are showing a greater appetite for risk reviews as finance directors and their boards meet more often to discuss key business risks. According to KPMGs latest global CFO consumer markets survey, Turning global risk into an opportunity , weekly risk reviews have more than doubled in two years. The research has found that 19 per cent of manufacturers andretailers conduct weekly risk reviews, compared with seven per cent two years ago. Nearly half of respondents (44 per cent) say that economic uncertainty is the biggest risk to companies, while a quarter (27 per cent) believe that political instability is also a major concern. Retailers and manufacturers also cite supply-chain problems as one of their greatest operating risks particularly in the Asia-Pacific region after political upheaval, the explosion of the Fukushima nuclear plant in Japan, floods inThailand and the earthquake in New Zealand.
To download a copy of the report, visit bit.ly/KPMG_Risk

Survey examines social media risks

Social media represents a growing information headache for UK businesses, according to a survey by information security specialist Iron Mountain. While 76 per cent of UK respondents say they regard social media as formal business records, only 54 per cent are aware that they carry legal liability for the content. One-third of UK respondents (34 per cent) describe their management of social media as chaotic and unmanaged and as many as three-quarters (74 per cent) ban the use of social media at work completely. To read the survey, visit www. ironmountain.co.uk

ICAEW: bank challenges should be made public

One of the UKs accounting bodies is recommending that stakeholders get better access to information about the challenge and debate that has taken place between bank auditors, the audit committee and executive management. In a new report, Enhancing the dialogue between bank auditors and audit committees , the Institute of Chartered Accountants of England and Wales (ICAEW) proposes that details of the key accounting judgments that have been challenged by the audit committee should be published in banks annual reports. The ICAEW complains that much of the bank audit process takes place behind closed doors.This lack of transparency has led to questions about the extent of professional

scepticism being applied. The ICAEW says that banks should consider the extent to which the objectives of the auditor, audit committee and executive management are similar or not for the various activities within the annual reporting process, and that the level of cooperation and challenge should be balanced accordingly. The ICAEW also recommends that bank auditors and audit committees should have good relationships with the banks risk committee to ensure a coordinated approach to addressing risk, and that banks should plan well ahead for an efficient year-end process.

You can download a copy of the report here: bit.ly/ICAEW_report

FSA fines for system weaknesses

Weak risk management systems were responsible for more than half of all the fines imposed by the Financial Services Authority (FSA) on financial services businesses last year, says the IIA. The institutes analysis shows that 60per cent of the fines levied by the regulator in 2011 were either entirely or substantially triggered by weaknesses in the risk management systems of those businesses, up from 55 per cent in 2010. The research also showed that lapses in risk management and internal control systems cost financial firms 38.5m in fines during 2011. Areas that the FSA has reviewed for weak risk management systems include anti-money-laundering controls and the ring-fencing of client assets through to the provision of advice on products to customers. While regulatory investigation used to focus on incidents where customers had suffered losses, now the emphasis is onprevention, saidthe IIAs chief executive, Ian Peters . The FSA expects firms to have the controls in place to ensure that customers and counterparties cannot be put into such a situation. He added: The message for firms is that ineffective risk management and systems of internal control will be taken very seriously by the regulator. For more information, visit bit.ly/FSA_Fines

Companies warned about comply or explain

The Financial Reporting Council (FRC) has taken steps to promote a better understanding of its comply or explain approach to corporate governance. The UKs corporate reporting regulator has published What constitutes an explanation under comply or explain? for companies reporting why they have not complied with parts of the corporate governance code. The FRC says that non-compliance disclosures should set out the background as to why the company has not followed the code and provide a clear, specific rationale.The regulator also says that companies should indicate whether the deviation from the codes provisions is limited in time, and should state what alternative measure the company is taking to deliver on the principles set out in the code and mitigate additional risk.
To download a copy of the FRCs paper, visit bit.ly/FRC_Explain

UK must be prepared for collapse of euro

Ministers should plan to deal with a breakup of the eurozone as a matter of urgency, a parliamentary committee has warned. Thejoint committee on the governments national security strategy said the full or partial collapse of the single currencywas plausible, adding that political unrest and a rise in economic immigration could result. The committee, whose members include MI5s former director-general, Baroness Manningham-Buller, said that economic instability could leavethe UK unable to defend itself. It added that governments across the EU could be forced to cut defence spending if the instability were to continue. International economic problems could lead to our allies having to make considerable cuts to their defence spendingand to an increase in economic migrants between EU member states andto domestic social or political unrest, the committee said.
For more information, visit bit.ly/NSS_Review

REPORTAGE
Getting serious on risk
10

As governance, risk and compliance (GRC) issues continue to make substantial progress up the boardroom agenda, executive management teamswant assurances that all three components are being integrated effectively and efficiently, according to The convergence evolution , KPMGslatest global survey of senior decision-makers on risk.

Today, 41% of boards globally and 50% ofUSboards are taking GRC very seriously , compared with only 10% globally and 13% intheUSbefore the financial crisis.

A growing demand for integration

Executive teams:

The main stakeholders exerting pressureon boards to take integrated assurance more seriously are:

Regulators:

48% globally; 42% in the US.

43% globally; 27% in the US.

The increasing appetite for GRC is driven mainly by a desire to reduce risk exposure (51% globally and 54% among US firms) and the need to tackle overall business complexity (35% globally and 34% in the US).

A price worth paying

90% of respondents found that their GRC costs had risen an

indication of the higher priority placed on GRC, but also a potential sign that the management of these processes could be better coordinated.

State of play
said their organisations were effective at sharing information and resources across functions. About a third of respondents said their companies were good at ensuring a consistent GRC approach across borders.

38% of global respondents and 45% of US respondents

Only 9% of organisations globally (45% in the US) said that their GRC activities were fully integrated into their business strategies.

11

For 7% of organisations globally and 16% in the US, governance convergence should result in long-term cost reductions.

44% of organisations globally and 43%

ofUS companies saidthat they were effective at ensuring the quality and availability of GRC data.

You can download a copy of KPMGs The convergence evolution report by visiting bit.ly/KPMG_Convergence

12

Being an internal auditor in a complex financial institution is a highly skilled role. I wonder whether the profession gets the credit it deserves

A very prudent man Andrew Bailey has acquired a pivotal role in the UKs new era of financial supervision and regulation. And the internal audit profession has just got itself a new and very challenging friend.
Words: Stuart Rock Photographs: David Short

13

ajor reforms of an entire industry dont come along too often.The dismantling ofthe Financial Services Authority (FSA) is one of themost profound regulatory changes to take place in the UK in the aftermath of the financial crisis. This is not an overnight process. Its not even anover-year process. But, before it is concluded, itlooksset to change the internal audit profession significantly and whisper this very positively. Because the role and effectiveness of internal audit isfirmly on the agenda of one of the principal figurescharged with developing and supervising thenew regulatory regime. We all know Andrew Baileys name. Or,rather, weall know his handwriting. Itshis signature that wesee on every bank note, owing to his stint as chiefcashier of the Bank of England during his 25-year career there. Now the man himself is

emerging intothe public arena. At the end ofJune he will step up to headthe Prudential Business Unit, the part ofthe FSA that foreshadows the Prudential Regulatory Authority (PRA) before it formallycomes intobeing in early 2013.

Building blocks
The PRA will be one of the two so-called twin peaks that, alongside the Financial Conduct Authority, will supervise the financial services industry. A subsidiary of the Bank, the PRA will be responsible for promoting the safety and soundness of the businesses it regulates: deposit-taking institutions, insurers and designated investment firms. The FSA may not have actually used theterm light touch about itself, but this isthephrase that has been attached to it initially approvingly and then damningly. Bailey, who was not inthe FSA himself, is certainly not a man to point fingers, buthe does acknowledge some of theshortcomings of the past. There was , hesaysin measured tones, a relative de-prioritisation of prudential regulation. His job is to restore such a priority.The fundamental building block for the PRA is to be focused on the big issues and risks to institutions and more forward-looking than financial regulators historically have been. One of the key things for the PRA is that we intend to be focused. I dont mind being intensive and intrusive when we needto be, but the fact of the matter is that we need to be focused. This refocused approach to prudential regulation has a clear implication for the firms that the PRA supervises: internal controlsneed to be robust. It is important that the regulator doesnt try to substitute for

14

We do want to see the internal audit profession taken seriously within theinstitutions that we regulate. We want it to have an appropriate profile and thereby bolster the standing of theprofession, because it is important
them, Bailey says. But, if it is doing its proper job, the controls within these firms also need to be doing their proper job. And that is why I am very keen that we include on the agenda of changes the role and effectiveness of internal audit. He admits that he does not have an internal audit background. I cannot preach on this subject from a technical perspective, but I talk quite often to the internal auditor ofthe Bank of England, Stephen Brown, who is good value on these subjects. We find ourselves very much in agreement. Yet he does draw lessons from the changing role of internal audit within the Bank itself. We have tried to ensure that the

It is very important to maintain the clarity that internal audit does not work for the regulator, but for the firm

While some of what I say might sound a bit harsh, there really is good intention here

governance of the audit and risk committee of the Bank is properly aligned so that the members can raise their concerns and get effective action, he says. But there is a considerable degree of scepticism among supervisors at the FSA that this is true among all major institutions today. Bailey does not pull his punches here. There is scepticism about the level of influence that internal audit is able to exercise. There are a number of strands that we want to tackle, he says. Are the internal audit functions effective in their own right? Isthe governance effective in allowing internal audit to play its proper role? Its not only a question of having really good people; its also of whether the governance is

appropriate so that internal audit is taken seriously. Is it able to operate effectively? Dosenior executives and the board take it appropriately seriously, rather than regarding it as a bit of a nuisance? Does internal audit feel that it can raise concerns and get action? Is it properly regarded as acontrol function rather than as a consultancy? Is there a sufficient challenging of the established ways of doing things? These are all tough questions, but Bailey is quick to stress that he is not picking on internal auditors. While some of what I say might sound a bit harsh, there really is good intention here. We do want to see the internal audit profession taken seriously within the institutions that we regulate. Wewant it to

have an appropriate profile and thereby bolster the standing of the profession, because it is important. This is why Bailey foresees and wants much better communication and a stronger partnership between the PRA and the internal audit profession. Its not that there has been a poor relationship before; its merely that there hasnt been one an observation that he regards as interesting and possibly strange . So he intends to do something about it. We should work with the profession to encourage the objectives that we want. In a helpful coincidence, the two parties have got a meaty issue to chew on: the proposals coming from the Basel Committee. Bailey has had several conversations with the IIA and will have more, particularly as the FSA/PRAs proposals and the Basel proposals start to come together. Does Bailey share the IIAs view that the current Basel recommendations are too prescriptive? His reply gives a flavour of hiswillingness and desire to listen and engage with the internal audit profession. It may be true that they are too prescriptive. If so, the only way to deal with this is to have a very effective relationship and communication with the profession where it can say: Thiswouldnt work, but this might. We are open to ideas on this one. There is not a well-formed view.There is more a diagnosis of the problem than there isa mapping of the solution. It is one of thoseissues that the crisis has thrown up thatwe must do something about.

15

Parallel worlds
There is one aspect that he has extremely well-formed views about, however, and thatconcerns the relationship between the regulator and internal audit.

{
We all know Andrew Baileys name. Or, rather, we all know hishandwriting. Itshis signature that we see on every bank note, owing to his stint as chief cashier of the Bank of England

It does seem to me important that internal audit is not a low-paid backwater. If it is, it cannot be effective

16

It is very important to maintain the claritythat internal audit does not work for the regulator, but for the firm.The regulator will want to see that internal audit functionseffectively, in both a technical andagovernance sense, and that what it says is taken seriously and acted upon. Whatis important in my mind is that the regulator does not substitute itself for the internal auditor in the doing of it. We are hereto bolster the standing of the internal audit profession. The role of bolster, not substitute could indeed apply the other way around. Bailey sees parallels between his own world and that of the internal audit profession. Being an internal auditor in a complex financial institution is a highly skilled role. I wonder whether the profession gets the credit it deserves and is able to recruit the people it will need to do that, given that there are more glamorous and well-paid jobs available. Its a bit like us, really we have that in common. Itdoes seem to me important that internal audit is not a low-paid backwater. If it is, it cannot be effective.There has to be a right balance. It is the same challenge that we as financial regulators have with our own staff. Remuneration has to be structured

correctly and it has to be sufficiently attractive for the right sort of people. In the end, of course, Baileys bailiwick extends only so far, while internal audit covers the whole spectrum of corporate life. But the profile and economic importance of financial services let alone the harrowing and complex experiences that the industry has faced in the past five years gives this

newrelationship a particular significance. Internal audit has a new supporter who will bring focus and intellectual rigour to his dialogue with the profession. And his first port of call will be the IIA. The institute understands the need for internal audit to be more effective in complex financial institutions, he says. Were very keen to work with it to push that forward.

On the road to prudential regulation

During 2012 the shadow versions of the two new authorities will gradually takesubstantial form. In April the FSA split its internal operations into a prudential business unit and a conduct business unit, as precursors to the PRA and FCA respectively, and supervised firms will start to notice the new divided structure. Well be using the next year in the FSA to iron out some of the kinks that we will no doubt see in the process as it evolves, Bailey explains. While some changes in approach will come about only once the PRA is created and has the requisite legal powers, the FSA will begin introducing what Bailey calls new forms of supervision during this year of transition. These are the building blocks of the new regime, in terms of making it more forward-looking and more judgmental, focusing on big risks and issues, Bailey says. The so-called Arrow process will be replaced with a different framework of risk analysis and framework of engagement with firms. We expect all of that to happen during the next year. We are going towards an annual cycle of review that has an annual supervisory assessment at its apex. We will use more peer-group analysis. There is not enough, in my view, to inform our assessment of institutions. Itis often peer-group analysis that is the most telling. We want the process to be more focused. I do think that there is a broad support for that approach. Firms want to see that our supervisors doit, sign up to it and practise it. They quite rightly want to see the evidence that we are actually going to do it. Quite reasonably, their jury ought to be out on that at themoment.

Operational executives can get overwhelmed by thenumber of risk reports passed up to them from differentdepartments all trying to provide assurance

18

Ten steps to integrated assurance

2 3 4 5 6 7

9 10

Consider the big picture first and identify where to start. Form a crossfunctional team or committee. Define roles and responsibilities early in the process. Beware of building another silo. Get the processes worked out beforeinvesting in newtechnology. Seek out overlaps and build efficiencies. Create a common language and understanding concerning risk. Look for ways of converting compliance expenses into broader businessbenefits. Dont lose the detail in the convergence process. Remember thatintegrated assurance is a gradualprocess.

Better together
Words: Neil Hodge
This approach promises several advantages: overlapsand gaps in risk assessments and controls are more easily identified; costs can be reduced; and information is more effectively shared and acted upon. Whats more, assuranceproviding functions such as HR, legal, IT, finance, risk management and internal audit can all agree a common view of risk and how it should be reported to the board. Unsurprisingly, such benefits are prompting more organisations to consider adopting an integrated assurance framework. Both executives and regulators seem to favour the approach, according to KPMGs recent survey, The convergence evolution , which found that these two groups are the key drivers for more integrated assurance. External auditors and investors were seen to follow closely behind. Why integrate? According to the survey, the increasing appetite in integrated assurance is largely down to a desire to reduce risk exposure and the need to tackle overall business complexity.The results suggest that, for 16 per cent of organisations globally, governance convergence should result in a long-term cost reduction. Experts believe that integrated assurance can simplify risk reporting and prevent executives from getting assurance fatigue . Ian Beale, senior director of the corporate integrity practice at consultancy Corporate Executive Board, says: Operational managers and executives can get

For a growing number of organisations, the keyto effective governance is to identify which departments provide assurance on risks to the business and then get them to collaborate.
overwhelmed by the number of risk reports thatare passed up to them from different departments all trying to provide assurance. These reviews distract teams, repeat questions and leave behind multiple action plans. It is littlewonder that some directors have difficulty aligning all these risks and prioritising them, particularly as the way they are reported can differ widely. Some believe that greater coordination between assurance-providing departments willalso help to improve governance overall. JoeCollins, an independent risk assurance and governance consultant who has worked as an HIA in the energy sector, warns that audit committees and boards are at risk of getting a patchwork quilt of assurance if reporting is notbetter integrated. Theres a real danger that functions that arediligently setting up best-practice standards for employees to follow such as HR, IT and legal are conducting only limited checking to see whether these are being complied with, butare nonetheless assumed to be providing effective assurance by the audit committee, board members and executives alike. As a result, both executives and non-executives can think that the associated risks are being controlled effectively when they may, in fact, not be, Collins says. Anintegrated assurance framework would helpto highlight these deficiencies and internalaudit therefore has a vital role to play in making sure that the

19

20

assurance that these functions are providing and, critically, what they are not is actually understood, he says. So far, regulators around the world have encouraged organisations to consider adopting an integrated assurance framework, but have not made it mandatory (South Africa is an exception: its code of governance principles, known as King 3, advocates a combined assurance model to provide a coordinated approach to all assurance activity). But several industry standards and best-practice guidance documents promote integrated assurance as a viable option. Auditing guidance and standards such as AAF 01/06, SAS70 and ISAE 3402 which require outsourced service providers such as third-party IT specialists to have a mechanism for providing independent assurance for their clients are bringing assurance providers together. Coordination of assurance is also occurring in the public sector. For example, the 2006 Audit Commission document Taking it on trust encourages hospital trusts to review and increase the assurances they receive from sources other than internal audit, including clinical audit to ensure that their full portfolio of risk is covered. More recently, the 2010 HMTreasurys strategic improvement plan for internal auditconsultation stated that a prerequisite for a high-performing internal audit service is that stakeholders must understand all major risks and their related assurance needs, and actively support an integrated assurance process to increase focus, reduceduplicationand eliminate unnecessary cost over assurance . The IIAs International Standards alsosupport the idea of effective coordinationamong assurance providers. PerformanceStandard 2050 Coordination states: The chief audit executive shouldshare information and coordinate

When you integrate, the organisation needs to agree the new rulesof the game
Courses and resources
The IIA offers courses on assurance mapping, run by James Paterson PIIA. Assurance mapping: the foundations , will take place in York on 18 May and 11 September (details can be found at bit.ly/GXrVqv), while Assurance mapping driving further benefits will take place in London on 12 September (more details at bit.ly/HlM9L8). The IIAs Certificate includes an award on integrated assurance that can also be studied as a standalone two-day course. For details, goto bit.ly/HgfPet and bit.ly/GZtLUS The IIA and Global IIA have issued useful guidance to help internal auditors provide better assurance. These documents include: New practice guide on coordinating riskmanagement andassurance (bit.ly/GZNoj7). 2011 practice guideon reliance byinternal audit onother assuranceproviders (bit.ly/GXsIaN). Guidance on coordination of assurance services (bit.ly/GW1GOU).

activities with other internal and external providers of assurance and consulting services to ensureproper coverage and minimise duplication of efforts. The IIA and IIA Global have also issued professional guidance on coordinating assurance to improve risk reporting and management (see panel, left) for more details on relevant courses and resources). Getting it right Internal audit practitioners are certain that integrated assurance is the right way forward. James Paterson, PIIA, director of consultancy Risk & Assurance Insights and leader of the IIAs courses on assurance mapping, believes the secret to its success is sharing with key stakeholders information, processes and controls that are already in place. Crucially, he adds, effective integrated assurance should also include management activities and not simply reports from assurance providers. If an audit committee member has concerns about a key project, an assurance approach would be to consider getting the accountable manager to report how risks are being managed rather than asking internal audit to do an audit of the project, Paterson says. Internal audit would then get involved

These projects can take a lot of time to put into place and to get right. They require strong leadership and coordination

if there were still concerns remaining after that.This approach helps to enhance accountability for risk and control across the organisation, making the best use of existing resources and, over time, improving the robustness of assurance from other sources, he adds. Paterson says that the first steps in providing an integrated assurance model are to agree a sensible scope (including a definition of important terms such as key risk); to clarify the benefits that are being sought; and to determine what level of assurance is going to be provided either reasonable assurance or full assurance , for example. When you integrate assurance activities,the organisation needs to agree the new rules of the game governing what information is key and what is less important, he says. Otherwise, it becomes a subjective almost political document that will not really improve assurance or deliver any lasting benefits. John Harvie, director at internal audit and risk management consultancy Protiviti, says that it is important to coordinate how risk is reported upwards, which means agreeing on the same terminology and how the approach should be embedded. It is the chief risk

officers job to make sure that there is a shared view of risk and risk reporting so that the way that risks are relayed to the board such as using the traffic light system or grading by numbers and so on is consistent.The head of internal audits role is to ensure that these processes are understood and followed properly, he says. Ian Beale adds that the heads of assurance-providing departments need to keep regular contact and share information openly to prevent overlaps or gaps in risk reviews and reporting from occurring.To achieve this, organisations need to conduct assurance mapping to ensure that the approach is coordinated properly and reporting lines are made clear. An assurance map will identify areas where there are gaps and duplication, which assurance providers will need to discuss and resolve, Beale says. That discussion can help to clarify the boundaries of each assurance provider, while also giving the board the opportunity to determine whether adequate and reliable assurance is planned and being delivered. Easier said than done Yet evidence suggests that integrated assurance is far from easy to achieve. KPMGs survey has found that only nine per cent of organisations globally believe that their governance, risk and compliance activities are fully integrated into their business strategies.The main barriers to success they cite are the complexity of managingsuch a project; a lack of resourcesand expertise to do it; and poorly defined benefits. Furthermore, a professional guidance note released by the IIA in 2010 reported that 20per cent of HIAs had found that different terminologies and methods of providing assurance between departments had hindered their efforts to integrate assurance.

All too often I see assurance maps that look colourful, but dont really add any value

Meanwhile, 39 per cent of respondents said that under-developed risk management frameworks were a key problem and 34 per cent blamed the fact that no one would take ownership of the programme. Paterson also believes that few organisations have implemented combined assurance in a way they are happy with and that assurance maps can be flawed. All too often I see assurance maps that look colourful, but dont really add any value or tell you anything new, he says. I see too many organisations trying to map the world when youre much more likely to succeed if you carry out an assurance mapping exercise in a focused way, with a clear idea of the practicality of what is to be done and the benefits that will be obtained. Industry sectors that are leading the field, he says, tend to be those that are more heavily regulated, such as financial services, utilities, pharmaceuticals and some public-sector bodies. Clearly, where there is an external driver to explain to regulators how the assurance jigsaw joins up, it provides an impetus to take action, Paterson says. Further, it encourages a focused scope, which is one of the most important things to manage when you are working on a joined-up assurance model. Although embedding an integrated assurance framework may not be as simple as some practitioners would hope, few dispute the potential benefits. These projects can take a lot of time to put into place and to get right, says Joe Collins. They require strong leadership and coordination from the outset, executive support, a set ofshared goals and an agreed timetable. But,if you take a methodical approach, the potential benefits can be properly realised.

21

For further information

Read more about KPMGs The convergence evolution survey on page 10 or visit bit.ly/KPMG_Convergence

22

There is a growing awareness thatthe problem is bigger thananyone wanted to admit

Room for improvement

Losses owing to fraud and error cost the hotel and guest house industry 2bn a year, according to ground-breaking new research. Yet a modest investment and a proactive approach to countering the threatcould make a bigdifference.
Words: Alice Hoey Illustration: Russell Cobb
The UKs 46,000-plus hotels and guest houses have a combined turnover of about 40bn a year, but a 2012 research report by accountancy and business advisory firm PKF suggests that 5.7 per cent of this is lost to fraud and error. Published by PKF along with one of Europes leading research institutes on fraud, the Centre for Counter Fraud Studies (CCFS) at the University of Portsmouth, The resilience to fraud of the UK hotel sector reveals the findings of the most comprehensive study of its kind ever undertaken. considerably according to organisations resilience to fraud. Most hotels taking part in the survey claimed to take the problem very seriously, yet in far fewer cases did the reality live up to the rhetoric. Just under 90 per cent of the hoteliers surveyed said they had adopted a zero-tolerance approach and 85 per cent indicated that they had arrangements in place for reporting fraud. But only 30 per cent had actually sought to estimate the cost of fraud to their businesses or used those figures to judge how much to invest in countering fraudulent activities. Plugging any unnecessary leaks should be high on hotel managements to-do list, yet, even those that do have counter-fraud activities in place could be wasting their efforts. Only 23 per cent of respondents said that they reviewed the effectiveness of their counter-fraud work while only 35 per cent ensured that their counter-fraud staff regularly updated their skills. Such a lax approach raises the possibility that organisations are not only failing to prevent losses as a result of fraud but also investing in ineffective or ill-directed measures. So its perhaps unsurprising that, compared with businesses in other sectors, organisations in the hotel industry have little confidence in their own ability to tackle the problem. The fact that hotels are dynamic, complex and always-open businesses

23

On the house
The extent of the losses uncovered is staggering, especially for an industry that measures its annual gross revenue in the billions.There is a growing awareness that the problem is bigger than anyone wanted to admit, says Brad Bonnell, director, global fraud control group, at InterContinental Hotels Group (IHG). People have tended to think of fraud as a series of incidents to react to, rather than something that can be prevented, adds Jim Gee, director of counterfraud services at PKF and chairman of the CCFS. If all you do is react, youve already incurred losses and it can be very difficult to get that money back. But, while the scale of the overall losses are worrying, the report also highlights the fact that they vary

24

makes them particularly vulnerable to fraud, especially occupational fraud, Bonnell says. Managing the cost of fraud therefore requires a more strategic approach than it would in, say, a retail business, which has the luxury of being able to send the employees home and close the doors while the receipts are counted. The industrys frequent use of subcontractors also increases vulnerability, especially in hotels for which event management is a big part of the business, says John Burbidge-King CEO of Interchange Solutions, a firm that helps companies to mitigate bribery and corruption risk. Hotels, he says, should ensure that they know the background of everyone who works in or with their business. Companies may put prospective employees through the third degree, yet the only thing they know about their suppliers and subcontractors is who the sales representative is. Burbidge-King says. Subcontractors should be vetted, sensibly and proportionately to the risks. Cash is also often freely available in hotels and credit cards are used extensively. Hotels need to equip both their employees and subcontractors with the tools and resources to do their jobs properly and keep things running smoothly.Yet this approach is fraught with risk and means that trust is at a higher premium in the hospitality industry than it is in many other businesses.That applies from the chambermaids and

Were seeing businesses increasingly treat fraud as a business cost like any other

The data that we use tooperate our business, can, once intercepted, easily be converted forpersonal use
receptionists right through to senior managers, Bonnell stresses. The most costly form of fraud, but also the least common, is actually that committed by a senior-level executive, who can divert money to their personal use through fraudulent business reports, he says. This type of crime is less likely to occur ina larger hotel chain owing to some higher level of segregation of duties andmultiple levels of financial oversight. Another factor behind the growth in fraud in the industry is the use of web-based systems for managing reservations, commissions and frequency marketing programmes. Thedata that we use to operate our business can, once intercepted, be easily converted for personal use, Bonnell says. System controls to protect our data and intelligence are often not put into action. well protected organisations areagainst the cost of fraud to their businesses. The worst-protected organisations can be seen to loseten per cent or more, while the best-protected ones lose 1.5per cent or less, Gee says. Ifyou simply look at fraud as something to react to, then not only the fraud but also the investigation costs you money. And, if it goes to court you risk having your reputation and credibility damaged. However, were seeing businesses increasingly treat fraud as a business cost like any other something to be measured, managed and minimised.

Whats the damage?

While companies have tended to deny the extent or even the existence of fraud, increasingly accurateassessments of fraudresilience and losses are now facilitating a more proactiveapproach. PKF and theCCFS have calibrated how

And fraud can be tackled effectively at little or no cost. The starting point has to be putting in place a policy that articulates senior managements expectations concerning fraud, says Bonnell, whose strategy at IHG is proactive, consisting of fraud governance, prevention, detection and investigation. IHG aligned its internal audit function with its risk management internal security and investigation group, and has sought advice from expert organisations such as the CCFS, the Association of Certified Fraud Examiners and the American Society of Industrial Security. Ithas also shared best practice

and experiences with peers inthe travel industry airlines inparticular. These efforts highlighted, for example, the potential benefits of systematicdata analytics or datamining of large databases to identify and isolate obvious indicators of fraud. Considering the enormous amount of data that a hotel has to process and manage, what are actually quite obvious indications of fraud can be missed if you dont look hard enough or in the right way, Bonnell says. Internal audit can also play a key role here, with invaluable work such as correcting the systemic defects that contributeto fraud. If equipped to perform forensic auditing, theinternal audit group, joined with investigations, will produceimpressive results, says Bonnell, whose internal audit function has evolved into what IHG has come to view as a vital asset . He adds that internal audit can be critical in conducting the threat assessment. That will, ifdone correctly, stimulate the appetite of senior management to invest in a robust and productive fraud control function, Bonnell says. Internal audit can also measure the effectiveness of a counterfraud strategy to ensure that priorities are properly aligned. That success can be measured, in part, through metrics generated by a hotels whistle-blower hotline and the data analysis programs. An alliance with internal audit, corporate legal and risk

A proactive priority list

Develop a counter-fraud policy that communicates a zero-tolerance stance onfraud. It should be understood that everyone in the business is responsible for protecting it from this threat. Have an ongoing process of fraud risk assessment that provides guidance towards investing into the fraud control programme. Provide training on successful policies and procedures. The accumulated knowledge of hotel operators exists in the many policies thathave proven to prevent fraud such as mandatoryvacation or job-rotation requirements. Perform data analytics and provide a confidential whistle-blower hotline. Whistle-blowers must beprotected. Investigate all alleged incidents of fraud in a consistent, timely and thorough way.

management could produce, at very little cost, a reduction in loss to fraud that could be measured in millions or tens of millions of dollars, Bonnellsays.

Dirty laundry
Fraud may be a thorn in the side for hotels and guest houses, butits far from a new problem. So why ramp up efforts to manage the risk now? Bonnell cites recent legislation such as the SarbanesOxley Act, the UK Bribery Act and the Foreign Corrupt Practices Act as reasons to take a harder line. Because businesses are now held to a higher level of accountability concerning the integrity of their financial controls, they have to demonstrate transparency concerning fraud management, he says. This is forcing the hotel industry to look in the mirror. In their global analysis of fraud across a wide range of sectors, PKF and the CCFS found the overall losses incurred by businesses to have increased since the start of the recession a trend that Gee believes is in keeping with past economic crisis. Fraud is the last great unreduced business cost, he says. There is no better time to set about reducing it than in the current difficult macroeconomic climate, where the financial benefits can reinforce the health and financial stability of the hotels sector. The full PKF report can be found at bit.ly/y5W9by

25

{
Have you heard the one about the Kit Kat and the orang-utans? Its not a joke, actually. In 2010 the environmental campaigning groupGreenpeace accused Nestl the maker of Kit Kat of using palm oil supplied by a company that was destroying the habitat of the endangered primates. Spearheading the campaign against the confectioner was a made-for-YouTube video featuring a bored office worker eating a Kit Kat that oozed fake blood. Mere weeks after the YouTube video was posted and 200,000 complaining consumer emails later Nestl released a statement about itscommitment to tropical rainforests and announced a new partnership with the Forest Trust. Within two months of the campaigns launch, Greenpeace reported: Youll never guess what: Nestl has only gone and agreed to our campaign demands. In an era when reputation is all, Nestl acted quickly and decisively to close down a negative story that threatened to blight one of its leading brands. Theres no question that reputation is a powerful factor. Someorganisations flourish on thebasis of glowing reputations Amazon and John Lewis are goodexamples. Others have the opposite experience think

Everything we do can potentially have an impact on our reputation, either positive or negative

NewsCorporation and the News ofthe World. But what exactly is reputation, anyway?

Permission statement
Its quite hard to pin down a consensus on what reputation really means. Its variously described as a business asset to be safeguarded; a subjective composite of perceptions about an organisation; and the consequence of long-term work on building trust. In truth, its all three and more. For Richard Anderson, chairman of the Institute of Risk Management, Its what gives us permission to go out to the market. And, if we blow our reputation, we blow that permission. By way of explanation, he cites the example of BP . Had the company had less of a reputation before it went into the Gulf of Mexico disaster, it would not have survived. It did so because BP had a deep reputation and the financial resources that made people believe that it would be able to manage its way out of that situation. In that instance, then, reputation was like a licence to continue trading. For Anderson, who is also the managing director of Crowe Horwath Global Risk Consulting, reputation is also a kind of capital that organisations build up. Your reputation is intimately linked with trust, he says. And reputation and

26

If we blow our reputation, we blow our permission to go out to the market

When your name is dragged through the dirt, it can take a long time to get it clean again. We ask if organisations are paying enough attention to reputation risk and where the main threats lie.
Words: Wilma Tulloch

Mud sticks

27

{
trust give you permission to be in business. Estimating how much a reputation is worth is equally problematic. But Jean-Paul Louisot, professor of risk management at Universit Paris 1 Panthon-Sorbonne, has a very precise answer. He quantifies reputation as the difference between an organisations physical asset value and its market price. By that reckoning, reputation has a significant economic impact, representing probably between 60 and 70 per cent of developed countries wealth , he says. Its a startlingly high value, but it chimes with research from public relations firm Weber Shandwick. It surveyed 950 business executives worldwide, who strongly agreed that 63 per cent of a firms market value is attributable to reputation. These are big numbers, but why not? After all, a positive reputation goes a very long way. It improves relationships with stakeholders and helps with recruiting and retaining the best employees. It creates a more favourable environment for investment and access to capital. It attracts the best suppliers and customers. It reduces barriers to developing new markets. It helps organisations to charge premium prices. And it reduces the likelihood of litigation and punitive regulation. No wonder its important. As a consequence, organisations in general and risk managers in particular need to ask themselves if they

Reputation has a significant economic impact, representing probably between 60 and 70 per cent of developed countries wealth

are paying reputation as much attention as it deserves. Or are we, as Louisot suggests, all but ignoring the source of two-thirds of our organisations value?

If youve got it, keep it

One problem with managing the risks concerning reputation is where reputation sits in relation to risk management. Ive always struggled with the best way to present this, says Jackie Cain, the IIAs policy director. But really it doesnt matter whether reputation is a category of risk or whether its animpact that risks might have as long as you choose to deal with it in a way thats effective in your organisation. For Anderson, meanwhile, reputation is something that you create, maintain, manage and, ifnecessary, recover. The issue as I see it is that everything we do can potentially have an impact on our reputation, eitherpositively or negatively, he says. As risk managers, we are interested in the potential for either building or destroying reputation, just as we are interested in the potential for building or destroying financial resources or human resources. Reputation is another of thoseresources that is available to you. It follows that, for risk managers, reputation should be a major part of the equation. When Im looking at an

28

For internal auditors, the important thing is to ensure that reputation stays on the radar

organisations appetite for risk, Im considering several things, says Anderson. Im looking at its capacity for managing risks in terms of having the skills and the knowledge. Im looking at its capacity to manage risks in terms of financial resources. Im looking at the organisations capacity in terms

of having the necessary infrastructure and Im also interested in its capacity to manage risk in terms of its depth of reputation. Having that asset of reputation behind you is one of the important aspects in determining how risky you can be in determining how you pursue your business. For internal auditors, the important thing is to ensure that it stays on the radar. Its about

Had BP had less of a reputation before it went into the Gulf of Mexico disaster, it would not have survived

Notoriety or renown? Tracking the rise and fall

US market researcher Harris Interactive has asked 17,000 Americans to rate reputations incorporate America every year since 2000. Its research measures sixdimensions of reputation: socialresponsibility; emotional appeal; financial performance; products and services; vision andleadership; and the workplaceenvironment. In this years survey Harris found that 60 per cent of respondents believed that the reputation of corporate America was declining, while only 20 per cent of those polled agreed that its reputation was positive. The sector with the poorest reputation was government onlyten per cent rated it positively, which was even lower than the rating for the tobacco industry. Meanwhile, technology widely seen as a way out of economic hardship had the best reputation rating. Apple is the USs favourite company. Harris also found that 50 per cent of consumers will now research companies and not only their products before doing business with them. And, when potential customers find a lack of information on a firms corporate values and behaviour, it limits the emotional appeal of a company. Of those companies stuck in reputational rehab , BP has made up some ground in the past 12 months. Of Americas top 60 most visible firms, its ranking has risen from 59th to 57th.

29

challenging the organisation, Cain says. Start with what your organisation is trying to achieve. Find out what people think aboutits reputation. Is it an assetthat they are trying to manage, is it merely appearing as a risk or is it not really appearing at all? And make sure that, whatever management thinks is happening, you can actually provide some assurance that that is the case.

Anderson adds: Organisations have to ensure that they understand what drives the building or the destruction of reputation, just as they have to ensure that they understand what drives performance and what builds shareholder value. Then you can start to look at the risks that have an impact on those reputational drivers. Cain and Anderson agree that internal auditors are ideally

placed both to see how reputation is handled across the business and to raise its profile in the right places inside the organisation. Above all, the profession needs to understand its importance. Since internal auditors are increasingly moving away from financial audit, reputation really ought to be one of their key focuses, Anderson says. Thats because its a major component of shareholder value.

Tools for the job

Conf idence speaks for itself

This spring sees a number of additions to the IIAs portfolio of courses among them, Presentation skills for the less confident. Trainer StanDormer explains what internal auditors can expect to gain from it.
While this is the first year that the IIA has offered the course, Stan Dormer FIIA anticipates considerable demand from members at every level. Having run similar events in-house for professionals in the private and public sectors, this is clearly something that strikes a chord with internal auditors, he says. Why? Because internal auditors are more likely than most to need to give presentations in the course of their work. Whats more, the outcomes of those presentations matter, he adds. If an internal auditor conveys their information logically and persuasively, its more likely that this will be accepted and acted on. Inevitably, there are many internal auditors who, while being highly skilled in most areas, are uncomfortable when presenting their findings directly to others. It can be a particularly challenging prospect for an internal auditor, because they are often conveying disturbing news, Dormer says. Being the bearer of bad tidings and trying to encourage your audience in a constructive way is hard, especially if youre inexperienced. Furthermore, when an internal auditor gives a presentation, the audience tends to be quite intimate with no more than a dozen people in the room and very senior, which makes it even more intimidating. Using repetition and gently graded practice, the interactive new IIA course helps people to address their audience naturally, as if they were talking to friends. Central to this is the recognition that, whoever you are and however experienced you are in making presentations, its always nerve-wracking, Dormer says. If it isnt, you probably dont care enough. We all introductions, we move on to how to finish the presentation. While the end might seem the easy part, many people leave a dire lasting impression by tailing off with an apologetic ramble, he says, rather than simply shutting up. The course also helps people to understand how much material can or should be covered in a presentation something that many of us get wrong. Its far better to have less material than you need and be confident in this than it is to overrun, Dormer says. Theres no shame in finishing early if youve got the job done and done professionally. And its far better than seeing people shifting in their seats and looking at their watches. There are also ways to help people overcome the inevitable nerves. Delegates on this course will learn a variety of techniques for staying calm while keeping control of their audience. Improving the quality of your presentations can not only help you get your message across; it can also help to advance your career, according to Dormer. People who shout the loudest and take more risks get further in life, he says. Andyou really do never get a second chance to make that first impression. Stan Dormer FIIA is director of education and training at MindGrove, which runs the Presentation skills for the less confident course on the IIAs behalf. For more information on the course or to book a place, email trainingandevents@iia.org.uk or visit bit.ly/IIAPresentation

31

have these fears, but its important to remember that the audience is on your side. We teach you how to work through the audience a little at a time. This piecemeal approach is essential, he explains, because to take a complex audit report and present it verbatim simplydoesnt work. We encourage peopleto break their presentation down intosmall, logical elements and then rehearse each of them until these can be delivered with confidence. Dormer tackles the beginning and end first and then works on the tricky bits in the middle. We start with the introduction, which is often the most difficult element, because your mind is buzzing with worry and embarrassment, he says. Once people on the course are polished at making

Career development

Full marks for effort

As well as running the IIAs exam success workshop, John Chesshire CFIIA is a tutor on the institutes diploma and advanced diploma programmes and has experience as an examiner and moderator. Time and again hesees candidates missing out on valuable marks, not because of a lack of understanding or knowledge but simply because of poor exam technique. Candidates often fail to manage their time appropriately, answering some questions too succinctly and overshooting on others, he says. Its important to note the number of marks available for each question and allocate your time accordingly. Similarly, providing a focused introduction and a professional conclusion can be positive thing if it adds value to your answer, but it shouldnt make up the bulk of the response or simply repeat whats said in the question. Another common mistake is afailure to answer the question properly. Some candidates interpret the question as they would like it to read or as they have prepared for, rather than answering what has actually been set, Chesshire says. Not reading the question carefully enough can also result in missed marks. Its common for a single question to have

When it comes to achieving success in exams, knowledge is not everything, says John Chesshire.
more than one dimension, he points out. For example, a question might ask you to list four risks and then to describe the appropriate mitigation of those risks. Often candidates will answer the first aspect but forget to address the second. The workshop is designed to give candidates confidence that they have all the skills they need to do their knowledge justice. As well as highlighting the common pitfalls, it provides some usefultips on preparing for and takingexams. There are various thingsthat candidates can do to boost their chances of success, Chesshire explains. For example, before even turning over the paper its a good idea to write down all of the things you have been desperately trying to remember.That information is then down on the paper should you need it, so that you can focus on the job in hand. He also advises candidates to consider the order in which they attempt the questions, because simply working through the paper in sequence may not always be the best approach. Almost all papers have a compulsory first section, based on a scenario, followed by a section where you typically have a choice of three questions out of four. Id advise going to the

32

Be as disciplined as possible, setting aside some time specifically for your studies
second section first and tackling the two questions you feel mostconfident about, he says. That gets you into the exam frame of mind and boosts your confidence before you tackle the more challenging elements. Effective preparation is, of course, crucial.This should include ensuring that you know whats on the syllabus as well as gaining an understanding of what the examiner is looking for. Past papers can prove useful here, according to Chesshire. While each paper is slightly different and has its own character, they can help you to get an idea of the style of approach of the examiner, he says. Knowing what to expect can build confidence and you can also practice the papers against the clock. But he cautions that answers provided in past papers should be seen only as a guide: If your answers are different, they arent necessarily wrong. Candidates can learn a great deal from colleagues who have taken the exams, as well as from their tutors. Many students are not demanding customers, so they fail to make the most out of this resource or the more local assistance thats available to them, Chesshire says. For many IIA members, simply coping with the volume and pressures of study alongside their professional duties will be the biggest challenge. Be as disciplined as possible, setting aside some time specifically for your studies, and make sure that you also take some days off, Chesshire advises. Approaching your exams in a methodical way, little by little, can greatly improve your chances of success. For more information about the workshop or to book your place, email learning@iia.org.uk

You asked us

Our technical helpline provides valuable advice to members on ahost of professional issues. Hereare some of the questions youve submitted recently.
Q. I recently presented my annual opinion to the audit committee and it has requested that I be more explicit about why I gave the opinion I did. The CEO said she felt that my opinion needed more context, with more on the positive things that have happened in the organisation, such as improvements in financial reporting. While I agree about the importance of presenting a balanced view, I dont feel I can or should comment on matters I cant substantiate from my audit work or dont have evidence to support. Should the annual opinion rely only on internal audit work? A. Im encouraged that your organisation is taking so much interest in the opinions you give.It is a positive sign that you have a high profile and that the work of internal audit is understood and appreciated. Supporting your opinion with brief referenceto the individual audit engagements and the highlightsfrom these will put your opinion in context and helpto highlight the priority of the issues involved, so it would be a positive step. I appreciate that balance is required and that acknowledging improvements is a good thing, but I agree that it would be risky on your part to refer to these without validation. I would include assurances from management or other assurance providers only where you can substantiate the improvements that have been made. But I think you have a few options.You could include a section (perhaps after the opinion) that recognises what management has done, indicating that you havent been able to validate this yet, but will provide assurance to the next meeting of the audit committee, building that work into the early part of your new audit plan. Alternatively, you could have early discussions with management or other assurance providers about your opinion that would allow you to make some validation of key or high-priority changes.The practicalities of doing either would have to be thought through and you may come up with a better option. But arriving at some form of solution without compromising your principles has to help your relationship with senior management and theaudit committee. Q. Do you have any advice on what a risk management strategy document should contain, as we have been asked to review the strategy document and provide advice? A. I suggest that you have a lookat our risk management page in the resource library at bit.ly/IIA_Risk.There are documents in the approaches section that talk about how to develop a risk strategy.There is no right or wrong way, but I would recommend the HMTreasury Orange Book and ISO 3100. Q. Is it compulsory for an internal audit function, irrespective of its size, to comply fully with the IIA Standards? Is it acceptable to state which standards it partially complies with and which it doesnt? A.There are three elements to the International Professional Practices Framework: the Definition of Internal Auditing, the Code of Ethics and the International Standards. All of these are mandatory and apply to all internal audit activities, regardless of size. Having said that, IIA Global has recognised that some small internal audit activities may have problems and has recently published a practice guide to help small teams interpret and cope with the standards. It might be useful to look at that if you work in a team of five people or fewer. To answer the second part of your question, the standards are principles and are open to interpretation, so some flexibility is allowed. It is also reasonable to identify a specific point at which you partially comply, but

Q&A

are working towards full compliance, forming a plan as to how and when you will achieve it.This should be discussed with your audit committee and senior managers, as they are best placed to help you interpret how the standards can be applied. In fact, Standard 1312 requires you to do just that: When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the non-conformance and the impact to senior management and the board. As the standard suggests, whether it is acceptable for you to partially or not comply depends on the impact this has upon the organisation.The standards are not simply rules; they are principles designed to help you deliver a valued service. It makes sense, therefore, to work this out with the people you are supporting. Got a question? Contact Chris Baker onthe IIA technical helpline on 0845 883 4739 or email technical@iia.org.uk

33

Student noticeboard

Student noticeboard
Essential information for exam candidates. Visit the student information centre at www.iia.org.uk for updates.
CRMA the new mark of distinction
IIA Global has launched a newprofessional certification: the Certification in Risk Management Assurance (CRMA). This is aimedat experienced internal auditors and provides international recognition for expertise in delivering assurance on risk management, governance andstrategy. The CRMA is available to IIA members for a limited period viaa professional experience recognition route. This means that, until the exam becomes available in 2013, members can gain the accreditation solely on the basis of their existing qualifications and experience. Toachieve the CRMA, a total of 155points are required, based on the following criteria: First degree: 20 points. Masters degree: 25 points.

well-deserved recognition for all their hard work. Visit www.iia.org.uk/crma for further information.

the IIA website at bit.ly/FRtypt, along with the pre-exam instructions to candidates.

Important changes to exam rules and regulations

Following a review of the existing policy, the IIA has published revised exam rules and regulations for the June 2012 exam series onwards. The updates reflect the need to address potential disturbance during exams from the growing number of mobile devices including smart phones, laptops and tablets. While the benefits of such devices are obvious, we must ensure that conditions are appropriate at the exam venues. The revised rules and regulations warn candidates that they are not allowed to take any mobile/ICT device to their desk area in the exam room. Any such device should be left in bags, coats or briefcases and must be switched off. Members failing to observe the rules and regulations face being disqualified from the exam and reported to the IIAs disciplinary committee. In addition to this important revision, there have been otherchanges relating to how timings and notifications about time are given during the exams. Students should therefore ensure that they are familiar with the pre-exam instructions to candidates, which are published alongside the regulations. A copy of the rules and regulations can be found on

Past paper packs and chief examiners reports

The past paper packs and chief examiners reports for the November 2011 exam series have been available since 2 March. Find them in the Qualifications & CPD section of the Student Information Centre at bit.ly/ojoPwP.

Relevant professional experience

(maximum 140 points): 120 months of experience: 100 points. 120-300 months: 120 points. 300 months: 140points. Candidates must have relevant professional experiencein the assessment/ assurance of risk management activities, as well as experience in at least two of the following four categories: Risk management fundamentals. Elements of risk. Control theory and application. Business objectives and organisational performance. In addition, a 100-word narrative is required in supportof each of the three categories identified. Members are strongly encouraged to take advantage of the opportunity to be awarded a global certification on the basis of their experience, as it is available for only a limited period. This is a great way for IIA members to enhance their CVs and achieve some

Authority-to-sit correspondence
Correspondence will be sent out to students registered to sit the June exams on 11 May. Candidates will be required to present a copy of this, as well as a photographic identification document, on entry to the exam room. If you have not received your correspondence by 18 May, contact exams@iia.org.uk or call the assessment coordinator, Aneta Zieba, on 020 7819 1928. Pre-exam instructions will also be made available on 11 May in the Student Information Centre at www.iia.org.uk. The authorityto-sit correspondence will remind students to read these instructions in the run-up to the exams. Further information about your exam venue is also provided on the Examinations page of the website.

34

Professional certification
(maximum 30 points): CIA, CCSA or CMIIA: 30 points. PIIA: 20 points.

Academic qualification
(maximum 25 points): A-levels or equivalent: 15 points.

Case studies for June 2012 exams

Case-study material will be released to candidates on

Your CPD
The Qualifications & CPD section of the IIA website provides detailed information on the institutes CPD policy and members CPD requirements. One key requirement is that voting members monitor their professional development plans over the year. If you are a voting member, please take a look at the resources on the website and check that you are meeting your requirements. For more information, contact the CPD team on cpd@iia.org.uk or call 020 7819 1928.

the format of submissions. An updated version of the journal is now available at bit.ly/GAj6Sv. Section 5, Completing your reflections , includes additional information on how students may approach documenting their evidence, with a further example given covering the IT basics competency.

14 May. Materials for the IIA Diploma accelerated route and the IIA Advanced Diploma will be published online in the Student Information Centre. Students will be reminded of the release via email on 14 May, so they should ensure that their contact details are up to date. Visit the My profile section of the Members home page at www.iia.org.uk.

Extenuating circumstances
Students who are taking the June 2012 exams and wish special circumstances to be considered should read the IIAs policy in full before making a submission. This can be found in the Regulations and policies section of the Student Information Centre on the IIA website. Chief examiners advise that the circumstances being cited by candidates should apply to the day of the exam. While some flexibility will beshown, consideration of a claim will concentrate on the possible effects that an extenuating circumstance might have on the day of the exam. Any circumstances that a candidate claims have affected

their preparation in the weeks or months before an exam and, therefore, their performance on the day, will be subject to rigorous scrutiny. Students who wish to submit details of extenuating circumstances occurring on the day of the exam must do so to the IIA within two weeks of the exam date. Correspondence must be accompanied by documentary or supporting evidence in accordance with the requirements of the policy.

Erratum: P2 Financial Risks and Controls Learning Text

An erratum has been publishedin the Learning materials section of the Student Information Centre (bit.ly/oN7KD7). The update concerns Topic 19, capital investment appraisal, section 19.2.1: Discounting future cash flows , and clarifies the syllabus expectations concerning the understanding and calculation of cash flows.

Updated IIA Diploma professional experience journal

The professional experience assessment team has supplemented the existing journal with extra information on

35

June 2012 exam series

Exams will be held from Monday 11 June to Thursday 14 June. Module IIA Diploma P1 The Internal Audit Environment P2 Financial Risks and Controls P3 Internal Audit Practice P4 Information Systems Auditing P5 Corporate Governance and Risk Management P7 Internal Audit Practice Case Study IIA Advanced Diploma M1 Strategic Management M2 Financial Management M3 Risk Assurance and Audit Management M4 Advanced Internal Auditing Case Study IIA IT Auditing Certificate A1 IT Auditing Certificate Multiple Choice Questions Monday 11 9.30am to11.30am Monday 11 Tuesday 12 Wednesday 13 Thursday 14 2pm to 5.10pm 2pm to 5.10pm 2pm to 5.10pm 2pm to 5.10pm Monday 11 Tuesday 12 Tuesday 12 Wednesday 13 Thursday 14 Thursday 14 9.30am to 12.40pm 2pm to 5.10pm 9.30am to 12.40pm 9.30am to 12.40pm 9.30am to 12.40pm 2pm to 5.10pm June 2012 Time

Looking for more? GO online

Visit www.auditandrisk.org.uk for more internal audit news and a range of resources to help you do your job.

IIA UPDATE

Council elections 2012: open for your nominations

With the IIA Council seeking four new directors, now is a great time to get more involved with the institute. All voting members of the IIA have the right to nominate someone to Council or to stand for election themselves. Joining Council is a great way to share your talents with the IIA and your peers, and a fantastic opportunity to be at the heart of the institutes decision-making. The Council, together with the IIAs executive, is responsible for setting the strategic direction of the IIA and developing its goals and objectives.The Council is also accountable to members for the IIAs progress. The IIA is, therefore, looking for people with experience of working at board level who are comfortable with collective decision-making. As it is keen to ensure that the Council is representative of the diversity of the IIA membership, the IIA welcomes applications from all groups and backgrounds. Any voting member can be nominated to stand for Council, providing that they are proposed by two other voting members. But, as agreed at a meeting of Council inMay 2011, Council members (with the exception of the chief executive) should no longer be paid for work done for the IIA. Council members should also not be partners in, or directors of, any organisation that has contracts with the institute. Acandidate in this position will not, therefore, be eligible for election as an Elected Director of the Council. Four new directors will join the Council after the AGM in October for a term of office of up to three years. If more than four nominations are received, a ballot of voting members will be conducted. Nominations for Council opened on 26 March 2012. Visit www.iia.org.uk/elections to find out more about the role and its responsibilities, and how to apply. Nominations must be received no later than 8 June.

36

Quality services
The IIA recently introduced a range of quality services (see Raising the bar in the March/ April issue), which it developed in response to demand from members. To support and enhance these new services, ithas produced a range of guidance and documentation, including a free self-assessment checklist, which members can download. For further details visit bit.ly/QualityServices. If you would like your organisation to be one of the first to benefit from an IIA external quality assessment andtake advantage of an introductory discount, email technical manager Chris Baker at chris.baker@iia.org.uk.

Dedicated technical helpline

Are you making the most of your membership? If you havent yet taken advantage of the IIAs technical helpline, maybe not. The technical helpline is the IIAs best-kept secret, providing guidance and support to members on all issues relating to the practice of internal auditing. Whatever your question or issue, no matter how big or small, our technical advisers are on hand to find the solution.

IIA training courses & events

For further information or to book, click the Training and events tab at www.iia.org.uk, email trainingandevents@iia.org or call 020 7498 0101. IIA regional events and special-interest groups should be booked directly with the organiser using the contact details provided.

May
8-9
IIA award in the effective delivery of audit and assurance London

18 22 23

Assurance mapping the foundations York

June
12
HIAS: Auditing HR risk a professionals perspective London

19-21 tbc

Internal auditing a beginners course york

10-11 10

Risk based internal auditing a practitioners course York

IIA award in interpersonal skills for audit and assurance London

12-13 13-14 14-15 15

IIA North East: Driving business value and enhancing internal audit practice Sheffield
Keith.morgan@abbotel.com

37

IIA Midlands: Assurance (risk appetite/risk mapping) RAF Cosford

Email: john.beagan@brc.org.uk

IIA award in information systems audit and assurance york

July
5
IIA Midlands Annual Conference: The challenge of change Belfry, Wishaw, Sutton Coldfield

Lean auditing London

23-24

15-17 16

Internal auditing a beginners course Surrey

Risk based internal auditing an audit management course YORK

A practical guide to evaluating risks and controls Dublin

24-25 24-25

Leading the audit team LONDON

IIA award in compliance audit and assurance york

19

Uncovering the truth an insight into IT forensics London

17

Improving audit reports for senior practitioners and heads of internal audit London

IIA South West: Annual conference auditing in an increasingly demanding environment Hilton Conference Centre, Congresbury
Email: john.thomasson@iia.org.uk

How to audit procurement london

Charities Internal Audit Network: AGM and quarterly meeting Charities update and risk management LONDON
info@cianonline.org.uk

Post your event

IIA regions and special interest groups may include details of their upcoming events by contacting trainingandevents@iia.org.uk Please state the event title, date, venue and contact details. The deadline for the July/August issue of Audit & Risk is 16 May.

17

Retail Audit Forum Meeting: Themed around computer-aided audit tools (CAATs), cost cutting and stress management University of Warwick
Email: john.beagan@brc.org.uk Tel: 020 7854 8921

25 29

How to audit expenses and policies London

Fraud risk and the internal auditor London

Congratulations to the IIA members below, who were successful in the November 2011 exams.
The Chartered Institute of Internal Auditors is the only organisation offering recognised professional qualifications for internal auditors in the UK and Ireland.

In November 2011 the following students successfully completed the examined element of the IIA qualifications: IIA Advanced Diploma in Internal Auditing and Management examscompleted

Small, Colin Peter Smedmor, Christopher David Stirling, Alexis Stringer, Richard Stubbs, Bharati White, Pinar Woods, Tracey Wright, Daniel

IIA Diploma in Internal Audit Practice exams completed

Arora, Dimple Anderson, David Atkinson, Andrea Ann Atri, Sunita Sanjay Bailey, Robert Bamberger, Rupert Beckett, Kelly Marie Benmaamar, Sobh Belgrave, Natasha Brant, Andrew Bennett, Helena Breeze, Benjamin John Bertie-Snell, Pia Louise Brown, Stewart Beveridge, Francesca Cantwell, Grace Bolster, Peter Coogan, Stuart David Roy Bourke, Anna Cooper, Alan Bramley, Sharon Culverhouse, Steve Brooks, Elizabeth May Davies, Robert Bykova-Nimmo, Iryna Benjamin Lloyd Cheng, Kenneth Geeken Denny, Gemma Louise Clarke, Steven Ellis, Matthew Clayton, Tessa Fenn, Rowan Charles Clutterbuck, Simon France, Wesley James Richard Furness, Jon Antony Coleman, Susan Gray, Andrew Conchie, Ruth Elaine Greenbeck, Fiona Coughlan, Alexandra Hamilton, Andrew Coveney, Paul David Cox, Leisyen Harrold, Lee Peter Craddock, Victoria Meron Heaphy-Davies, Lindsey Crane, Lewis James Hewitt, Paul Crook, Emma Hinde, Katharine Cross, Helen Hopewell, Peter IIA IT Auditing Curtis, Peter Andrew Jones, Philip Charles Certificate exam Daire, Iain Kaburara, Kimuli Del Greco, Gabriella Kennedy, Kelly completed Antonietta Khan, Addiba Delorey, Nicola Kidd, Jonathan Hoy, Lindsey Miriam Dennis, Hannah Elizabeth King, Simon Richard Jones, Matthew Simon Dickson, Gavin Kenneth Kitchin, Julie Ray, David Alistair Fell, James Lamb, David Robert Rosser, Arran Steven Fiddes, Carolyn Lefevre, Irene Solomon, Martyn Colin Fraser, Heather Lennon, Julie Catherine Gilchrist, Laurie Jolyon Lourie, Matthew The following Girvan, Deborah McCaffrey, Orla students Griffith, Richard McHugh, Matthew Ian successfully Harris, Michele Jean Melluish, Helen Cheryl completed the Hazell, Philip William Miller, Adam following exams Heather, Alison Moloney, Kevin John in November 2011: Hetherington, Julie Momoh, Oluyomi Hussain, Zakir Murray, Debbie P1 The Internal Jackson, Craig Shaun Maria Louise Audit Environment Jackson, Peter Wesley Njolai, Eric SRS17337-BarSim-BannerStrip-May12:SRS17330-BarSim-DPS-Mar11 Jonas-Nartey, Jocelyn Oldham, Justin Adeyemi, Abimbola Kapoor, Harleen Ooi, Justin Ali, Shiraz Kendall, George Povey, Alex Andrews, Daniel Mark Killen, Melanie Rashid, Shahid Kirk, Maureen Armstrong, Katie Robinson, Andrew Lawson, Susan Helen Arora, Dimple James William Lesware, Gillian Atwal, Jaswinder Kaur Sharman, Nicola Ann Lyons, Mark David Barrow, Gemma Maria Shephard, Kelly Martin, Mairead Rotsin Bolton, Melissa Marie Sheridan, Steven

38

Martin, Sebastian James McCarthy, Connor McNeil, Isobel Mcgregor Mearns, Vicki Mennear, Catherine Helen Louise Middleton, Karen Miles, Neil Mo, Simon Nicholson, Christian Mark Ovard, Neil John Peak, William James Pope, Robert Ravindranathan, Ramah Revell, Susan Rice, Michael Liam Richards, Lianne Richardson, Angela Robertson, Dorothy Russell, Robert Martyn Saxton, Nigel Scott, Gavin Denis Semken, Timothy Sharpe, Graeme Shepherd, Anna Shirley, Lana Simonite, Kyle Sloman, Anne Smith, Claire Smith, Karen Patricia Spilsbury, Grant Bernes Street, Anna Louise Tang, Adrian Taylor, Paul Thomas, Merina Tod, Graeme Duncan Willshire, Richard Wilson, Janine Wootten, Jenny Rose Worrall, Jennifer Helen Zacal, Sarah Lorraine Amy

Bramley, Sharon Briers, Imogen Brown, Steven Edward Brownley, Rebecca Louise Burke, Deborah Jane Byers, Matthew John William Clarkson, Barry Clewes, Joanne Elizabeth Coughlan, Alexandra Coughlan, Michelle Cox, Leisyen Cull, Barrie Arthur Dawkins, Carol Dawson, Carlien Doyle, Allan Duffield, Deborah Nicole Elliott, Nicola Leigh Enfield, Mark Evans, Craig Paul Fittall, Rachel Elaine Fuller, Daniel Goldsmith, Lorna Colbera Greenhow, Triston John Haggerty, Robert James Hainsworth, Richard Anthony Hampton, David Hardwick, Victoria Harris, Michele Jean Holden, Russell Khimani, Dharmila Kilcullen, Annette Koterba, Silvan Marko Lambert, Paul Le Grossec, Elisabet Le Roux, Lone Kirsten Leong, Meng-Chee Manson, Christopher John McCabe, James Alexander Middleton, Karen Millais, Joanne Denise OHalloran, Brid Oughton, Arthur Parnell, Fiona Jane Peak, William James Quirk, Johanne Elaine Roblin, Lloyd Scott, Gavin Denis Semken, Timothy Shah, Nalin Sharma, Surita Simoes, Pedro Sloman, Anne Southgate, Laura Street, Anna Louise Thomas, Alex Thompson, Natasha Tong, Jennifer Waters, Joanne Patricia Welsh, Robert Wyatt, John Martin 17/4/12 12:11 Yap, Felicia

P2 Financial Risks and Controls

Atkinson, Andrea Ann Bancroft, James Peter Banu, Rahela

Barker-Arnone, Emma Branston, David Brown, Steven Edward Byers, Matthew John William Bykova-Nimmo, Iryna Clarke, Steven Clutterbuck, Simon Richard Coleman, Susan Connolly, Angela Coveney, Paul David Daly, Michelle Del Greco, Gabriella Antonietta Dennis, Hannah Elizabeth Draper, David Patrick Dundas, James Enfield, Mark Etule, Raymond Evans, Julie Fell, James Gilbert, Hollie Gilchrist, Laurie Jolyon Girvan, Deborah Hampton, David Heather, Alison Heeley, Jessica Ruth Howe, Sarah Jayne Hussain, Zakir Jackson, Christopher Jackson, Craig Shaun Jonas-Nartey, Jocelyn Jones, Gregory Paul Kaur, Sharonjeet Kilcullen, Annette Killen, Melanie Le Grossec, Elisabet Lewis, Catrin Martin, Mairead Rotsin Masoeu, Kamohelo Matkin, Katerine May McCabe, James Alexander Newell, Katherine Julie Nicholson, Christian Mark Page, Michael Pap, Timea Pinch, Steven Robert Plaxton, Andrew Douglas Pope, Robert Powell, Gemma Kelsey Ravindranathan, Ramah Redward, Tim James Rice, Michael Liam Sharpe, Graeme Silver, Colin Simoes, Pedro Simonite, Kyle Smith, Adrian Brian Smith, Claire Spicer, Mark Spilsbury, Page 1 Grant Bernes Talwar, Kieran Tang, Adrian Thrupp, Michael Tod, Graeme Duncan Wilkin, Gary Andrew Wilton, Rebecca Ann Yap, Felicia Zacal, Sarah Lorraine Amy

P3 Internal AuditPractice
Ackred, Matt Richard Aitken, Anne Al Ruqeishi, Yasir Ali, Mohammed Kashem Ali, Shiraz Andrew, Stuart Atalla, Amanei Baldwin, Tanya Banu, Rahela Bennett, Helena Binnie, Andrew Booth, Darren Breach, Paul Jonathan Clewes, Joanne Elizabeth Coulthard, Rachael Daly, Michelle Eyre-Walker, Louise Firth, Adam Gilbert, Hollie Goldsmith, Lorna Colbera Grainger, Nicholas James Griffiths, Emma Elizabeth Hainsworth, Richard Anthony Handley, Lisa Harris, Heather May Carole Hedges, Sophie Jeffree, Andrew John Khanom, Kamrun Knapman, Kelly Leighton, Ruth Emma Martin, Sebastian James McCullough, Johanne Moore, Christopher David Mulligan, Kevin Neagu, Mariana Penlington, Mark John Rees, Andrew Rimmington, Mal Roberts, Linsey Saleem, Saqib Seymour, Rebecca Simonite, Kyle Smith, Lauren Thomas, Alex Varvill, Richard Vaughan, Peter Edward Velvick, Jonathan Virketyte-Lleshi, Inga Vose, Kathryn Ward, James Lee White, Jessica Willshire, Richard

P4 Information Systems Auditing

Almeida, Joana Isabel Ankach, Kayhan Bailey, Helen Denise Bailey, Robert Baird, Barbara Bennett, Helena Bennetts, Frances Bertie-Snell, Pia Louise Beveridge, Francesca Booth, Darren Brooks, Elizabeth May

Working with aspiring members of The Chartered Institute of Internal Auditors since 1989

Seymour, Rebecca Arrowsmith, Steve Shepherd, Anna Atalla, Amanei Silver, Colin Atwal, Jaswinder Kaur Smith, Frances Bailey, Robert Smith, Karen Patricia Baird, Barbara Smith, Lauren Baker, Janet Irene Stacey, Jane Peggy Baldwin, Tanya Swainson, Karen Ann Baranowska, Ilona Margaret Beckett, Kelly Marie Swift, Louise Marie Bennett, Helena Taylor, Justine Bessell, Robert Taylor, Paul Bolster, Peter Tillman, Alan Bourke, Anna Tong, Jennifer Briers, Imogen Turner, Julie Byers, Jessica Jane Vaughan, Peter Edward Collins, Jonathan Vicary, Yvonne Jane Colyer, Gary Colin Vipond Murray, Victoria Couch, Nathan Louise Counsell, Jennifer Virketyte-Lleshi, Inga Craddock, Victoria Meron White, Jessica Crane, Lewis James Willshire, Richard Cross, Helen Wilson, Charlotte Daire, Iain Wong, Maurice Davidson, Mark Scott Ian Dawkins, Carol P7 Internal Audit Delorey, Nicola Garner, Gemma Louise Practice Case Study Grainger, Nicholas James Griffiths, Emma Elizabeth Belgrave, Natasha Cheng, Kenneth Geeken Harris, Heather May Carole Clayton, Tessa Hayre, Baljit Conchie, Ruth Elaine Hazell, Philip William Crook, Emma Hazell, Stephanie Curtis, Peter Andrew Victoria Pamela Dickson, Gavin Kenneth Hedges, Sophie Fiddes, Carolyn Hetherington, Julie Griffith, Richard Howe, Sarah Jayne Kapoor, Harleen Jackson, Craig Shaun Mearns, Vicki Jackson, Peter Wesley Mo, Simon Jackson, Struan Rae Russell, Robert Martyn Jeffree, Andrew John Thomas, Merina Kendall, George Wilson, Janine Killen, Melanie Worrall, Jennifer Helen Knapman, Kelly Lambert, Paul M1 Strategic Lawson, Susan Helen Manson, Christopher John Management McMahon, Rebecca McNeil, Isobel Mcgregor Anderson, David Moore, Christopher David Ashmore, Victoria Morgan, Gail Beville, Paul Guy Morton, Eric Alexander Breeze, Benjamin John Mulligan, Kevin Brown, Stewart Mulvey, Keith Buwu, Selina Neagu, Mariana Cameron, Angela Neish, China Constance Chessman, Erica Anne OHalloran, Brendan Clark, Michael Mclean Christopher Clarke, Paula OHalloran, Brid Coe, Allan Edward Cox, Richard James Pap, Timea SRS17337-BarSim-BannerStrip-May12:SRS17330-BarSim-DPS-Mar11 P5 Corporate Davies, Victoria Anne Payne, Clive Governance Dodds, Clare Elizabeth Pinch, Steven Robert and Risk Furness, Jon Antony Ravindranathan, Ramah Georgiou, Koulla Renton, David Management Hamilton, Andrew Revell, Susan Aitken, Anne Hammond, Sarah Roberts, Linsey Al Ruqeishi, Yasir Kathleen Robertson, Dorothy Andrew, Stuart Harrison, Andrew Roblin, Lloyd

Chambers, Paul Geoffrey Clarke, Steven Clutterbuck, Simon Richard Cox, Leisyen Craddock, Victoria Meron Craven, Hilary Dawson, Carlien Del Greco, Gabriella Antonietta Draper, David Patrick Elliott, Nicola Leigh Fanning, Nicholas Robert Fines, Barry John Franklin, Andrew Franks, Grant William Fraser, Heather Gallagher, William Paul Garden, Susan Jane Hardwick, Victoria Hazell, Philip William Heather, Alison Heaton, Rachel Ann Heeley, Jessica Ruth Hussain, Zakir Hutchins, Alice Christine Jackson, Craig Shaun James, Derly Eliana Kendall, George Kirk, Maureen Lesware, Gillian Lewis, Catrin Lucas, Kane Anthony Lyons, Mark David Matkin, Katerine May Mennear, Catherine Helen Louise Miles, Neil Morton, Eric Alexander Nicholson, Christian Mark Osmond, Sarah Jane Ovard, Neil John Pope, Robert Ravindranathan, Ramah Renton, David Richards, Lianne Richardson, Angela Saxton, Nigel Sharpe, Graeme Shirley, Lana Spilsbury, Grant Bernes Swift, David Talwar, Kieran Tang, Adrian Ward, Theresa Rose Watts, Jenny Webb, Joseph Wootten, Jenny Rose Yorkston, David

Hirst, Matthew Kaburara, Kimuli Khan, Addiba Lennon, Julie Catherine Lockhart, Neil Harrison Long, Duncan Meehan, Anthony Melluish, Helen Cheryl Njolai, Eric Onslow, Natalie Jane OToole, Brendan Rai, Ramesh Rex, Michelle Roberts, Lisa Satheesababu, Sonya Sharman, Nicola Ann Shelton, Timothy Charles Shephard, Kelly Stirling, Alexis Trevallion, Nicola Louise Turner, Nadine Welsh, Wendy Teresa Wilson, Andrew John Wood, Claire Louise Wood, Matthew Woodward, Louise

M3 Risk Assurance and Audit Management

Atri, Sunita Sanjay Bamberger, Rupert Beville, Paul Guy Bradshaw, Heather Bull, Andrew John Chalmers, Amanda Clark, Michael Mclean Davies, Robert Benjamin Lloyd Durkin, Katey Edwards, Karen Fenn, Rowan Charles France, Wesley James Greenbeck, Fiona Hewitt, Paul Hirst, Matthew Jones, Philip Charles Kennedy, Kelly Kidd, Jonathan King, Simon Richard Lamb, David Robert Lefevre, Irene Lennon, Julie Catherine Leung, Wai Liveston, Kirsty Lourie, Matthew Marshall, Imogen Massey, Jonathan McCulloch, Andrew Bruce Quick, Jane Rex, Michelle Spencer, Jill Tariq, Moazzam Thompson, Sarah Turner, Nadine Willetts, Karen Windsor, Graham Wood, Claire Louise Wood, Matthew

M2 Financial Management
Ashmore, Victoria Barron, Francesca Helen Breeze, Benjamin John Burrage, Peter Cardwell, Mark Douglas Chessman, Erica Anne Clapham, Fred Coogan, Stuart David Roy Cox, Richard James Davies, Christopher Stuart Denny, Gemma Louise Ellis, Matthew George, Lisa Elizabeth Gough, Paul Hammond, Angela Dawn Marie Heppleston, Russell James Hinde, Katharine Hopewell, Peter Leung, Wai Liveston, Kirsty McCulloch, Andrew Bruce McHugh, Matthew Ian Miller, Adam Moloney, Kevin John OShaughnessy, Paula Proctor, Richard Murray Rashid, Shahid Robinson, Andrew James William 17/4/12 12:11 Smedmor, Christopher David Stringer, Richard Tariq, Moazzam Thomas, Craig Trevallion, Nicola Louise Tyrrell, David Willetts, Karen

M4 Advanced Internal Auditing Case Study

Allen, Mark Steven Anderson, David Atri, Sunita Sanjay Bamberger, Rupert Benmaamar, Sobh Bowman, Keith Brant, Andrew Breeze, Benjamin John Brown, Stewart Buwu, Selina Page 1 Cantwell, Grace Cardwell, Mark Douglas Coogan, Stuart David Roy Cooper, Alan Culverhouse, Steve Curran, Gary Patrick Davies, Robert Benjamin Lloyd

Denny, Gemma Louise Ellis, Matthew Furber, Kathryn Gray, Andrew Greenbeck, Fiona Hadden, Catherine Margaret Hall, Mabel Mary Hamilton, Andrew Harrold, Lee Peter Heaphy-Davies, Lindsey Hedley-Smith, Martin Hewitt, Paul Hinde, Katharine Hopewell, Peter Jones, Philip Charles Kaburara, Kimuli Khan, Addiba Kidd, Jonathan King, Simon Richard Kitchin, Julie Lamb, David Robert Lefevre, Irene Lourie, Matthew McAteer, Kieran Anthony McCaffrey, Orla McGreevy, Samuel Gerald McKee, Alan Melluish, Helen Cheryl Miller, Adam Moloney, Kevin John Momoh, Oluyomi Murray, Debbie Maria Louise Oldham, Justin Ooi, Justin Povey, Alex Scott, Colin Alexander Sharman, Nicola Ann Shephard, Kelly Sheridan, Steven Small, Colin Peter Smedmor, Christopher David Stirling, Alexis Stubbs, Bharati White, Pinar Woods, Tracey Wright, Daniel To find out how you can become qualified with the IIA, call 0207498 0101, visit www.iia.org.uk or email studentsupport@ iia.org.uk Disclaimer: although every effort has been made to ensure the accuracy of the above information, the Chartered Institute of Internal Auditors accepts no responsibility for any errors or omissions.

39

Working with aspiring members of The Chartered Institute of Internal Auditors since 1989