CASE 1 -

Answers should be written/presented using powerpoint using the following format: (In bullet form and then explanation) 1. Company Background

2. Case Facts 3. Issues

4. Important Concepts related to the Case 5. Proposed Recommendation for Each Issue Identified

Applying internal audit resources Internal audit needs to make sure that the resources it has are sufcient to meet the expectations of the audit committee. This requires careful planning and a realistic view of the budget and skills that the audit function has. I Telecoms provider BT's director of internal audit and enterprise risk management lames Grigor sets out how he ensures the function's activities are properly resourced ' British Telecom (ET) is the UK's largest communications service company. It has an annual revenue of Lzobn and employs over 90,000 people, with customers in more than I70 countries. Over 60% oi Fortune 500 companies including Google. Microsoft and Pepsi use BT's networked IT services. lames Grigor joined BT as director at internal audit in 2002 He has a team oi 67 internal auditors who are all based in the UK. They carry out operational audits and review work primarily in the UK, Europe, and North America, while Big Four accountancy rm Ernst tit Young periorms much of the internal audit work for the group's operations in Latin America, Middle East and Africa, and Asia Pacic through three regionally based co-sourcing agreements. These reviews are overseen by BT Internal audit and lollow the same methodology that the function employs in all its reviews. Over the past five years the number of ET internal auditors has reduced slightly, though the use of co-sourcing has risen. Two years ago BT's internal audit department changed its operating structure. Previously, the internal audit function had been aligned 'vertically" with each of BT's six lines of business (Openreach, Retail, Global Services, Wholesale, BT Innovate and Design, and ET Operate). This meant that the function was elfectively split into six different sections so that there was a dedicated and separate internal audit team for each of these business areas, plus a "It would be impossible to allocate internal audit resources to every project in BT" lames Grigor, BT nance team and a general internal audit team that carried out reviews across the group. A potential problem with such an approach was mat internal audit's expertise could become "siloed', meaning that operational Expertise and key skills were not being shared between the different internal audit teams. It also meant that work was being duplicated, and resources were being misspent. Grigor rearranged the internal audit function's structure so that it was aligned 'horizontally" across the organisation. Practical advice for applying internal audit's resources 1 Ensure that the internal audit function has the right development practices and the right mix of people headcount is just a number. 2 Ensure that sound recruitment processes for the intemal audit team are in place. Be clear about the skills thatare required and that the people recruited have them: recruitment is the most important management activity that any F'm'mmp'e' ""3 \"""i \"am" MW"!- now conducts all reviews ol billing sys ems 1 anin the annals in the funrtinn with the smile Ilietiluuvlugy was true Iullcuulteiupiuya nance team and a general internal audit team that carried out reviews across the group. A potential problem with such an approach was that internal audit's expertise could become \"siloed\Ie global reach of BT's activities, of business, and le number of it the group is involved in, the Iitfunction's resources have to d and accounted for carefully. "lt npossible to allocate internal audit ) every project in ST," says Grigor. e audit the overarching processes for ' systems and check the over~riding i behind these decision-making ather than attempt to review the if each individual project," he adds, aligned with the organisation's key risks. Of that, around 20% of internal audit's budgeted days are spent on reviewing nancial, governance and regulatory risks: 15% of the function's allocated days is spent looking at contract management and how customer complaints and delivery failures are dealt with, and controls preventing information security breaches and service interruption. Compliance with the US Sarbanes0xley Act (50X) which aims to improve corporate governance and foster better internal control and which is a regulatory requirement for companies with a US-Iisting remains a key area for internal audit: about 10% of the function's resource is spent on SOX reviews, and that is unlikely to decrease. A significant focus of BT's internal audit resource strategy is devoted to training and development. \"When lioined BT in 2007 the internal audit team was largely made up of 'generalists' with around one quarter of the team holding a professional qualication. Since then, we have established a strong IT and technology capability and a strong nance team. We have made a firm commitment to train and upskill our people: presently, 60% of the team have professional qualifications in either internal auditing (Chartered Institute of Internal Auditors), or IT or accountancy,\" says Gn'gor. The investment in training means that it is quite rare that the internal audit function requires a skillset that it does not have in- house. "If we need other expertise, then we will look for it inside the business first or buy it in from one of our co-sourcers,\" says Grigor. "We have not historically seconded internal auditors and put them into the business to learn skills: the opportunity for such short term roles does not often arise. However, we see increasing numbers of our team moving into permanent roles elsewhere within BT where their risk and control disciplines can be used to great effect," he says. Assurance vs consultancy In recent years the internal audit function has been asked to provide assurance Useful professional guidance The general principles regarding what resources are needed and how to apply them are set out in Standard 2030: Resource Management in the International Standards for the Professional Practice of internal Auditing (http://bItJy/LXM ISA). Practice Advisory 2030-] states that the level of resource should be related to the nature and extent of assurance the audit committee and senior managers want (http://bitJy/K7NMNh). The Chartered Institute of Internal Auditors' professional qualications also highlight issues surrounding assurance needs and consultancy services, as does its learning materiais. For example, M3 Learning Text - Topic 8 (on internai audit's varied roles) includes a section on the scope of consultancy work. Visit www.iia.org.uk for more information, including the llKnowledge Centre", which contains a wide range of resources on risk managementand internal auditing. \"It is important to understand how internal audit functions in other organisations operate, including how they apply their resources, so that we can learn from their best practices" James Grigor, ET on a wider range of risks and business areas as the executive team has realised the value of the work it carries out. However with the agreement of the audit committee Grigor says that the function's primary role is to serve the business as assurance providers; any consultancy work that internal audit carries out is secondary to its core focus. \"We have three criteria that need to be satisfied if we are going to carry out consultancy work," says Grigor. \"Firstly, the work we are being asked to do needs to materially impact the business. Secondly, we must have the skills within the team to be able to carry out the work. And thirdly, we must be able to have the time to do the work without jeopardising our activities in the core assurance programme," he adds. Grigor says that the key to maximising one's resources properly is about using the skills of the team rather than iustfollowing an approach. He also says that it is also important that the internal audit team learns from its own experience; not just from changes or challenges team members have faced in BT, but from the organisations where they were previously employed and the best practices that they adopted there. It is also important to learn from external sources, says Crigor, This can include the practices that the Big Four accountancy rms carry out, professional guidance issued by the Chartered Institute of Internal Auditors and other bodies, as well as presentations given by other heads of internal audit at conferences. BT's internal audit function has a Practice Ofce of five people that regularly reviews best practice in its own operations, but also reviews what other internal audit departments and external assurers are doing, as well as ensuring that the guidance and standards of the CIIA are observed. This team also undertakes the quality assurance review of the internal audit team's own output. \"It is important to understand how internal audit functions in other organisations operate, including how they apply their resources, so that we can learn from their best practices. This will help foster a culture of continuous improvement,\" says Grigor