External Reviews - experience SLACIAG Conference June 2013 Dundee Robert Beattie Head of Audit, Clydesdale Bank & Yorkshire Bank

Drop in picture of man looking in mirror

 Why do it?  My experience  Frameworks  Tips  Example recommendations  Summary Covering

Why do it?

 HBOS - Deloitte 2003 (dry-run)  HBOS - KPMG 2003  British Energy - Independent Audit 2007  Friends Provident - KPMG 2010  NAB (Clydesdale / Yorkshire) – IIA (Aus) 2012 My experience

Framework – Deloitte (Benchmarking) Purpose Role Stakeholder needs Value add Position SeniorityIndependenceResponsibilities Process MethodologyReportingTechnology People Skills mixKnowledgeDevelopment Performance Continuous improvement Stakeholder satisfaction Staff motivation 5 Ps model

Framework - Independent Audit (Effectiveness) What is IA there to do? Does charter reflect reality? Does it reflect expectations? Is it equipped to do it? Attributes / attitudes Capabilities / tools Does culture support audit? Does it do what supposed to? Expectations met? Plan, exec, report Working style

Framework - Independent Audit (Effectiveness) What is IA there to do? What are views of stakeholders? Are there conflicting views? What services do you offer? Is it equipped to do it? How robust is your planning process? Do you have the right team? Are you credible? Does it do what supposed to? How do you explain your plan? How do you fill technical gaps? How visible is IA? Report structure: Organisation & resources Stakeholder relationships Management of IA The IA charter Independence Audit planning Carrying out the work Reporting

Framework – KPMG (Effectiveness) 3 Ps model Positioning Drivers & Mission Org. & structure Success criteria Funding Customers & services People Competencies Staffing strategy Reward / appraisal Culture Career progression Processes RA, planning, delivery Tech. Rel. mgt Performance measurement Admin. Note: IIA standards assessment was by-product

KPMG - Questions Does structure promote objectivity? Are core competencies related to mission, role, scope? Quality of admin processes? Good risk based planning methodology? Is IT used to enhance operations? Established progression, training and competency dev? Is the function valuable to the business?

Framework – IIA (Aus)  Independent validation of self-assessment  Planning  Methodology  Quality  Skills & resourcing  Systems & processes  Reporting  Approach  Interviews with key stakeholders (3 - No NEDs!)  Review of self-assessment templates  Review of audit files  Outcome  Conformance assessment against standards

Tips  Front foot / in control (anticipate)  Prepare well in advance (planning / costs)  Involve stakeholders early (drivers / requirements)  Use your network (share experiences)  Lead selection process / aim for senior resource

Tips (cont’d)  Plan the timetable (when / how reported)  Involve your whole team (4/5 months end to end)  Help the review team (be up front / admin)  Be prepared to constructively challenge outcome  Act on the outcomes

Example recommendations  Further improve profile and expertise in x area  Refresh stakeholder analysis and associated actions  Link annual plan and audits to businesses strategic priorities  Increase involvement of IT specialists during planning  Plan should state at high level areas not being covered

Example recommendations (Cont’d)  Perform assurance mapping exercise – link to key risks  Develop 3-year strategic plan setting out vision, objectives…  Further consider use of auditing tools, such as CAATs  To improve business understanding, spend more time on-site  More formal succession planning (with bus. successors)

Summary  Drive purpose and agenda  Plan well ahead for a ‘good’ outcome  Actively select the right reviewer / framework  Know your reflection and what ‘good’ looks like  Have plans in place to fix any gaps  Enjoy being audited

Questions?