Canada: Aligning Internal Audit - Are You On The Right Floor?

Last Updated: July 17 2012
Article by Matthew Wetmore


First there was the financial crisis. Then came the recession and regulatory reform, and disparate headlines: an oil spill in the Gulf of Mexico, a tsunami and radiation leak in Japan, heat waves and cold snaps, struggling economies, cruise ships running aground, financial firms going under, tainted food recalled, hackers stealing personal information from millions, and on top of it all, continued uncertainty over the strength of the economic recovery.

Against this backdrop, it's no surprise that of the 1,530 executives from 16 different industries and 64 countries who participated in PwC's 2012 State of the Internal Audit Profession Survey, the majority say their businesses face more risks than ever before. With global trade, supply chains, and financial markets all intricately linked, risks become apparent quickly, unexpectedly, and with significant impacts on company operations, reputations, and even survival. All this has led companies to become more engaged than ever before in improving their ability to define, communicate, and manage their global risk profile.

The rising importance of risk management

In our eighth annual examination of the internal audit profession, we focus on the rising importance of risk management and the increasing expectations of internal audit's contribution to the effort. While previous studies surveyed only chief audit executives (CAEs) to learn their responses to the year's most pressing challenges, this year's survey expanded to include other executives, audit committee chairs, and board members, who were asked their views on today's critical risks and the role they expect internal audit to play in addressing them. More than 660 of these stakeholders joined 870 CAEs in sharing their points of view through participation in our survey, and nearly 100 CAEs and stakeholders participated in one-on-one interviews, enabling us for the first time to share an outside-in look at the profession.

This paper highlights rising stakeholders' expectations and where they want internal audit to play in the risk management challenge, to deliver the greatest value. We also explore how leading internal audit functions have aligned themselves with these rising stakeholder expectations by expanding the footprint of risks they cover and clearly communicating deeper insights—"raising the floor" in a way that sets a new standard for internal audit functions across industries, geographies, and company sizes. Stakeholders and CAEs alike have recognized that in order for internal audit to be effective in supporting organizational risk management efforts, the minimum standard of performance has to rise. In today's ever-shifting risk landscape, internal audit can't settle for simply reacting to events; instead, it must adopt a strategic mindset that is responsive to risks and helps ready their organizations for new threats and opportunities.

By leveraging their core competencies, developing trust-based relationships, and providing deeper insights, leading internal audit functions have proven they can earn a seat at the table—one audit at a time.


Today's complicated risk landscape

Across industries and geographies, company stakeholders have become more engaged with risk issues and have been seeking to improve their ability to define and communicate a clear, firm-wide risk appetite. The evidence of this trend is in the 1,530 responders to our 2012 State of the Internal Audit Profession Survey, among whom an overwhelming majority (80%) shared their view that risks to their organization are increasing.

Survey results and interviews revealed that the risk landscape is growing and rapidly changing as new risks emerge, challenges associated with more traditional risks continue to evolve, and stakeholders and CAEs shuffle their lists of the most pressing risks facing their organizations. Along with concerns over continued economic uncertainty, ever-increasing regulatory requirements, and the financial market roller coaster ride of the past four years, we continue to see companies name traditional areas of concern such as fraud and ethics, mergers and acquisitions, large programs, new product introductions, and business continuity among their top five risks.

The response rate on the question of the most critical risks facing the organization showed that virtually all risks on which we surveyed were critical to hundreds of survey participants. Figure 1 shows the 15 critical risks cited most frequently by our survey respondents.

What is making risk more risky?

The inextricable linkages between global trade, financial markets, and supply chains have resulted in risks arising unexpectedly and with far-reaching ramifications on reputation and even business survival. "Business has become so globally diverse," points out Microsoft CFO Peter Klein, "that it is an ongoing challenge to scale this with different cultures and operating models—and develop the tools and technologies to adjust to the continued global diversification."

Executives told us that the complexity, unpredictability, and variety of risks are the top three reasons they feel their risk profile is changing, and that management of critical risks continues to be a challenge. We saw this manifested in a variety of headlines throughout 2011, among them:

  • "Sony PlayStation Breach Involves 70 Million Subscribers." The April 2011 hacking of Sony's PlayStation Network cost the company more than $171 million in cleanup costs, and analysts predicted the cost of investigations, compensation, lost business, and additional data security investments could push the total much higher.
  • "News of the World Shuts Down Amid Scandal." Following a major phone-hacking scandal involving its employees, venerable British tabloid News of the World was shuttered by owner News International in a reported attempt at corporate damage control.
  • "Smartphone Parts Shortage Caused by Japanese Quake": The March 11, 2011, earthquake, tsunami, and nuclear reactor breach in Japan forced the temporary closure of many high-tech manufacturing plants, among them one that creates a crucial polymer used in 70% of lithium-ion batteries worldwide. The subsequent shortage affected technology companies internationally, including Nokia, RIM, Sony Ericsson, and, to a lesser extent, Apple and Samsung.

Executives we spoke with also emphasized that the speed at which information becomes public also leads to a lower confidence level regarding how well risks are being managed. As Kanwardeep Ahluwalia, managing director of financial risk with Swiss Re, observes, "In a world of ever-faster communications and instant transmission, there is also the possibility of an additional dimension of complexity brought about by the very perception that risks have increased . . . but perhaps we feel risk is growing simply because we know more."

Many risks are not perceived as well managed

As the risk landscape continues to evolve and shift, on average less than half (45%) of those surveyed told us that they are comfortable with how well their most critical risks are being managed— despite the fact that 74% of those surveyed have formal enterprise risk management (ERM) processes in place. The relatively low confidence level expressed by survey respondents in many risk areas tells us that stakeholders won't feel their organizations are managing risks effectively until they significantly up their game regarding both the management of risks and the communication of risk management results. It is for this reason CAEs must be focused on ensuring internal audit understands the organization's risk landscape and is aligned with stakeholders on the areas of greatest concern, putting the function in a position to address risks in a timely manner, provide insights on risk impact, and clearly communicate recommendations focused on improving business performance.

As we analyzed confidence at the risk level, we noted that stakeholders and CAEs consider financial markets to be their best-managed risk, with a combined 63% feeling this risk is well managed. Their confidence may be the result of hard work: For the past four years, since the beginning of the recession in 2008, businesses have been engaged in a full-tilt, head-on struggle against financial turmoil. They've had to maneuver their way past frozen lending markets, major currency fluctuations, stock volatility, and other potential cataclysms, and in the process have become more adept at addressing financial challenges. While financial market issues aren't getting any less complex, businesses feel that they are in better shape to address them.

But while companies have been busy putting out financial fires, business realities have continued to change. A particularly thorny, long-term threat has become acquiring and retaining staff in a global, technology-driven market where key skills like engineering and IT are in high demand and short supply. Respondents identified talent and labor risks as a significant risk, but only 23% had confidence in their organization's ability to manage this risk well. As explored further in our 2012 Global CEO Survey, competition for human capital is intense, and many companies are feeling the pressure to up their talent management game, using models and strategies that can vary significantly from those that made their organizations successful in the past. (For example, where companies might once have recruited expatriates for overseas positions, recruiting local talent with the required technical and language skills may now be a critical success factor.) Talent and labor risks are further complicated in emerging economies, where employee loyalty might be relatively low and where local companies are beginning to lure top-performing candidates into their own ranks through improved salaries and benefits, and appeals to patriotism. Overall, companies' current talent management programs may not be equipped to handle the size and range of changes currently underway, leading to a lack of confidence among stakeholders and CAEs.

The need for alignment between business and internal audit

Gaining stakeholder insight in our survey for the first time allowed us to compare viewpoints between stakeholders and CAEs at a macro level. While these macro views may not be representative of your individual organization, they do provide indicative data for areas where alignment is being achieved, and for those areas where further dialogue between stakeholders and CAEs is needed.

Why is alignment around risks so important? For internal audit to be truly effective, an organization must create a culture whereby stakeholders and CAEs hold robust dialogue around enterprise risks, share their objective perspectives, and reach a common viewpoint on the role of internal audit around the most critical risks. Given the number of risks facing organizations today, alignment around the most critical risks is essential to prioritize and enable effective allocation of resources. Absent this alignment, CAEs may fail to target resources to those areas stakeholders consider most critical— thereby missing the opportunity to deliver value to the business.

In our survey, 47% of stakeholders said that risks to their business were well managed, compared to 40% of CAEs. Digging into individual risks (see Figure 2) revealed six areas of more pronounced disparity, with stakeholders expressing significantly greater confidence (10 percentage points or more) than CAEs. One of the greatest divergences in viewpoint came within management of risks associated with fraud and ethics, where 53% of stakeholders felt confident in their organization's management of risks, compared to only 35% of CAEs. Confidence around risks associated with mergers and acquisitions and joint ventures showed a similar diverging viewpoint, with 50% of stakeholders expressing confidence, compared with 33% of CAEs.

While diverging viewpoints may result from numerous factors, the takeaway here is a clear call for continued stakeholder and CAE dialogue on how well each perceives risks to be managed. Misalignment in either direction can lead internal audit to sub-optimize allocation of resources and not adequately focus on the risks most critical to the organization. With the risk landscape shifting underfoot, it is no longer good enough for internal audit to just be at the table; it must also be confident that its prioritized areas of focus are affecting the areas of greatest risk to the organization.

Size and industry matters

Though survey respondents across the board expressed relatively low confidence levels regarding risk management, looking at the results by company indicate that the size of the organization has an impact: Overall, respondents' confidence in how well their organization manages risks was 20% higher at companies with $10 billion or more in revenue, as compared to companies with revenues under $10 billion. This survey finding confirmed what we've seen in our experience: Larger companies have more advanced processes and tools to aid in their risk management challenge—yet effective risk management is no less important at mid-sized and smaller companies. Despite the higher confidence expressed by respondents from large companies, there's still considerable room for improvement. While size does apparently matter, the question for CAEs of the smaller and larger organizations alike is, what additional efforts should internal audit be undertaking to enable confidence levels around risk management to rise? The specifics of internal audit's role may be different depending on a company's size, but the need to take action remains the same.

Further, evaluating survey results by industry confirmed that the most critical risks and the confidence stakeholders have in their ability to manage those risks vary by industry. The only common thread was that respondents across the board named talent and labor as their least well-managed risk. See Figure 3 for a ranking of the three least and most well-managed risks by industry groups.

A proactive approach for success

Survey results also indicated that managing risks better may have an impact on financial performance, as organizations with financial performance above their peers (regardless of company size or industry) expressed an average confidence level of 53% across the top 15 risks. By comparison, only 25% of companies that perform financially below their peers believe they manage the same risks well.

Recent experience indicates that with the world watching a more instantaneous media, planning for the management of adverse events is as important as identifying and managing the risk in the first place. Leading companies differentiate themselves in the risk management arena by transitioning from a reactive to a proactive mindset that anticipates risks and helps position the organization for new threats and opportunities. These companies stand out by better understanding and managing their risks, protecting themselves by building financial buffers, creating supply chain redundancies, and proactively managing their response to risks. In essence, they are better prepared to react to or take advantage of opportunities resulting from risks becoming reality.

This is the strategic mindset to which internal audit should align. "Instead of just asking what might go wrong, also imagine thinking what needs to go right so as to ensure systems, processes, and management focus are aligned to achieve successful outcomes for the company's strategy in the face of a variety of possible situations and external scenarios," says Jason Pett, PwC's US Internal Audit leader.

Stakeholder expectations of internal audit

Stakeholders have spoken and the message is clear: With risks rising and awareness of those risks becoming a matter of ever greater investor concern, they are seeking greater assurance in their companies' ability to manage current and future risks. In our interviews, we heard time and again that stakeholders value internal audit's ability to identify risks, evaluate their threat, and recommend processes and controls to manage them.

Survey results showed that stakeholders rank the traditional internal audit job of "auditing of financial controls and compliance" as their first expectation, but that "providing advice on risks and controls" rates a very close second. To add to stakeholder confidence and be seen as a vital, contributing business partner, internal audit must reach a point where it fulfills both of these expectations equally well: providing traditional assurance with deep insights and business perspectives.

In this section, we'll discuss stakeholders' views of internal audit's contribution, and areas in which they desire more.

Stakeholders value internal audit's contribution

Stakeholders consistently told us that they saw internal audit as having an important role to play in monitoring their organizations' top risks. Among respondents who selected fraud and ethics and data privacy and security among their top risks, an overwhelming 97% and 96% (respectively) value internal audit's contribution. Interestingly, these two risk areas also have the greatest level of alignment in overall viewpoint between stakeholders and CAEs.

Over three quarters of respondents who ranked business continuity, large program risks, mergers and acquisitions, regulations and government policies, and reputation and brand among their top risks also had high ratings on the importance of internal audit's contribution to monitoring them. In fact, there were only two areas of risks (commercial market shifts and competition) for which fewer than 50% of stakeholders perceived internal audit's role to be important. The takeaway? The majority of stakeholders expect internal audit to be actively engaged in helping the organization monitor and manage its most critical risks.

While this overall importance level is relatively high, there were only two areas (fraud and ethics risk and data privacy and security risk) where more than 50% of both stakeholders and CAEs alike believe internal audit's role to be "very important." Within data privacy and security risks, however, a disparity emerged around the criticality of internal audit's involvement: Though alignment on overall importance is within 2%, stakeholders were 17% more likely than CAEs to assess internal audit's role as "very important." In our experience, this divergence of viewpoint on the criticality of internal audit's role may result from several factors, including the fact that this risk has not historically been included in internal audit's scope, and/or that internal audit may lack the specialized skill set needed to effectively audit and recommend improvements in this area. Given this rapidly developing risk area, it is almost to be expected that stakeholders and CAEs are not yet fully aligned on the critical importance of the role internal audit plays—yet another indicator that as the risk landscape shifts rapidly, CAEs and stakeholders must work to stay aligned both on the impact of this risk to their organization and on the specifics of the role internal audit should play.

Further evaluation of the data shows that for virtually all risks, it is the CAEs who place internal audit's role higher on the scale of importance. This may indicate that CAEs believe they are playing a substantive role in these areas, whereas stakeholders do not yet consider their input to be as valuable.

Or worse yet, it could be an indicator that internal audit understands the potential importance of their role, but something is holding them back from taking a seat at the table and effectively delivering value. In either case, CAEs and stakeholders need to consider what internal audit is doing to be relevant in these critical risks areas, and, if they are already playing a role, what internal audit should be doing to increase their level of importance and contribution in the overall risk management effort.

Stakeholders want more

More than 20% of stakeholders reported that internal audit paid too little attention to the vast majority of risks on which we surveyed (see Figure 5). These survey results pinpoint heightened stakeholder expectations for many areas on which traditional internal audit functions have not focused—such as talent and labor, new product introductions, and economic uncertainty. The fact that a risk hasn't historically been a focus for internal audit should not hinder internal audit's ability to play an important role. "Some would argue that internal audit doesn't have a role to play in areas such as innovation or antitrust," says the CAE of a leading technology company. "And it's true we don't have deep expertise in those areas. But we can ensure transparency of risk and that management has all the information it needs."

While we recognize our survey results represent a macro point of view, they do indicate that at many organizations, internal audit may not be giving the proper focus or delivering the results stakeholders want across their most critical risks. Ongoing dialogue between stakeholders and CAEs is vital to ensure internal audit places its focus and allocates resources to the areas most aligned with stakeholders' expectations.

Stakeholders want focus in all of their critical risk areas

Consistent with stakeholders' feelings that internal audit has an overall important role to play and that there are many areas of risk where not enough attention is paid, interviews and survey results also showed that stakeholders believe internal audit functions should view all risks on which we surveyed as being within their mandate, but should also tailor their scope to focus on the greatest risks facing their organization. The demand for overall increased attention came through in survey results, with 65% of stakeholders responding that they want internal audit to play a more substantial role in monitoring risks. And, when asked the specific areas where stakeholders want internal audit to maintain, add, or reduce focus, virtually no one wanted internal audit to reduce focus on the top risk areas. This is yet another key indicator of stakeholders' increasing expectations of internal audit in an ever-growing and shifting risk landscape.

As we see in Figure 6, stakeholders and CAEs have fairly strong alignment on the view that internal audit should maintain or add capabilities across all of the top 15 risk areas. However, in the areas of fraud and ethics and business continuity, CAEs' plans to add capabilities outpace stakeholders' expectations by 16 percentage points and 10 percentage points, respectively. While both of these risk areas have been on the agenda for some time now, it is clear that CAEs feel a greater need to increase their focus on monitoring them. While these risks are clearly complex and evolving rapidly, focusing too many resources on them will divert attention from other risk areas that the stakeholders we surveyed identified as more important. Faced with limited resources, internal audit must allocate resources to the most optimal areas aligned with stakeholder expectations. If they choose the wrong areas to over-invest in, the effort expended may very well be at the cost of missing a more critical business risk, leaving the organization unnecessarily exposed.

Stakeholders want coordinated lines of defense

We often refer to risk management in terms of "lines of defense," the multiple layers of activities that help ensure risks are efficiently and effectively managed and monitored in the manner intended by executives and non-executives. Stakeholders place value in the role internal audit plays as the third line of defense— providing objective assurance—but they value just as highly internal audit's ability to effectively coordinate across the first and second lines.

As the third line of defense, internal audit assesses, for boards and audit committees, how well the organization's governance, risk, and compliance processes are working— especially the first and second lines of defense. Dennis Powell, Audit Risk Committee chairman at Intuit, is one of many executives we spoke with who expects internal audit to be coordinated: "Internal audit has to identify areas where controls are not operating as they should be, and where risk management is not as robust as it needs to be."

Of course, a pure third line of defense position is best played when the first and second lines are mature. Our experience indicates that when the second line is not in place or not mature, internal audit's expertise should be leveraged to identify the risks and serve as a catalyst for improved risk management within the company's individual business units.

Ultimately, though, executive management must firmly own the first and second lines, and keep ultimate responsibility for managing risks. "You must have risk management embedded within your strategy," says David Burritt, chairman of the Audit Committee of Lockheed Martin. "Internal audit is ideally suited to advise on risk management processes and systems, but it is the business that must be ready to take action when risks emerge."

While stakeholders value the role of internal audit as the third and last line of defense, survey results indicated that internal audit still has significant ground to gain as it relates to coordination with the second line. Seventy-four percent of organizations in our survey reported having formal enterprise risk management groups, yet less than 50% of respondents believe their internal audit functions are well coordinated with these groups.

Improving coordination between the second and third lines brings value in both directions: internal audit benefits from input that helps it focus its efforts in the right risk areas, and risk management and compliance groups benefit by leveraging internal audit's broad organizational view to bring cohesion to the organization's overall risk management efforts. "Internal audit provides value by taking a holistic view of the company." says Leslie Heisz, audit committee chair at Ingram Micro. Also demonstrating alignment with the risk management function, Andrea Cummings, VP of internal audit at BlueScope Steel, told us her internal audit group "considers the group risk profile during audit planning to identify key focus areas for the annual plan. In particular, internal audit reviews the mitigation actions proposed by management to consider if they are operating effectively."

As risk management functions continue to take shape, CAEs and stakeholders need to seek agreement on how the lines of defense should coordinate. This coordination and alignment will enable internal audit to better engage in risk identification, conduct more thorough risk assessments, and ultimately position the function to play an enhanced role in overall risk management efforts.

Stakeholders want an insightful and objective viewpoint

When stakeholders were asked for their top expectations of internal audit, as expected a vast majority (88%) ranked "financial controls and compliance assurance" among their top three. "Providing risk and controls advice" received an almost equally important rating, with 82% of respondents ranking it in their top three.

Our interviews showed that stakeholders are seeking deeper insights from internal audit. As one CFO told us, "CAEs should be expected to ensure the appropriate level of controls are in place to mitigate risk. They should also have a unique expertise to recommend controls." Recommending controls is highly valued, but many stakeholders we spoke with also want the insights offered to go a little deeper. Stakeholders are seeking insights that answer the question "What does this mean to my business?" and ultimately enable the business to connect the dots and operate more effectively.

While it is clear stakeholders want internal audit to provide both assurance and insights, our survey also showed that the characteristic stakeholders' value most in internal audit is its objectivity (chosen among the top three most valuable characteristics by 85% of stakeholders). Seeing objectivity given such priority, we dove a little deeper through interviews. While we heard a reinforcement of the need for objectivity, we also heard from stakeholders that they do not believe objectivity constitutes an impediment to internal audit functioning as a valued business partner delivering deeper insights; rather, it is a matter of finding the right balance. According to Audit Committee Chairman William Osborn, the internal audit function at Caterpillar Inc. has been successful in this balancing act. "They have done a nice job of walking the line," says Osborn, "between internal audit coming down hard when there's a problem, and being able to help people set something up in the right way to avoid problems." He actually finds value in the balance, stating further that "there's a tension there, and I'm a big believer that you need to be able to straddle the line and do both."

Seeking alignment as expectations rise

With only 45% of respondents saying the majority of their critical risks are well managed, the door to an expanded role is open, and internal audit must walk through it and take on the attendant challenges.

However, regardless of company size, industry, or geographic location, the majority of CAEs told us that they expect their budgets to remain static or be reduced over the next 12 months—even though, as we've heard, stakeholders want internal audit to boost its capabilities in the face of the ever-growing and shifting risk landscape.

Through survey data, interviews, and our experience, we uncovered many leading internal audit functions that are finding ways to meet their stakeholders' higher expectations— both in regard to enhancing value delivered in traditional control and compliance areas and in regard to addressing the most critical risk areas facing organizations today. By aligning resources in an optimal way in the right areas of the business, internal audit functions are showing they can do more with the same or fewer resources. The challenge for companies currently at or below their peers is how to rise to the new "floor" required by the combination of the new risk landscape and higher stakeholder expectations, and do so with constrained resources.

To read this report in full, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.