450 Parker St. Boston, MA 02115 7 October 2013 Mr.

Mike Noto Director of Internal Audit Fidelity Investments 200 Seaport Blvd. Boston, MA 02210 Dear Mike, I am writing to request your review and distribution of a reference document I created which helps clearly present the 2013 revisions to the Standards developed by the Institute of Internal Auditors. Each year, the IIA releases a revised version of the International Standards for the Professional Practice of Internal Auditing. These updates aim to incorporate feedback from shareholders and board members of the IIA, in an effort to keep the framework specific, relevant, and up to date. The reference document I have included in this email was developed in an attempt to alleviate the need for employees to study the revised document themselves. Instead, this brochure highlights the revisions in a way that is easy to follow and understand. I worked at Fidelity Investments as a co-op student for six months from January to June 2012, and learned a great deal about the importance of the audit standards and what they mean for the audit team. While it was a daunting task to ensure each of our reviews followed the IIA framework, I know it is necessary to comply with the regulations. I have taken it upon myself to read through the revisions in depth and put together this brochure for the benefit of your employees. It is my hope that you will take the time to review this document yourself and then pass it along to the other team members in a team meeting, encouraging them to reference it on future reviews this year. The document is attached to this email, giving you the option to print out copies or simply forward the email to the rest of the team, at your discretion. Please do not hesitate to reach out to me via email or phone should you have any questions or concerns. I appreciate your time and this opportunity, and look forward to hearing your feedback. Sincerely yours, Michael Evanoff Northeastern University 813-777-0856 evanoff.m@husky.neu.edu

Attachment: 2013 Revisions to the IIA Standards

Internal Audit Department

2013 REVISIONS TO THE IIA STANDARDS

As of January 1, 2013, The Institute of Internal Auditors (IIA) introduced a set of revised principles and modifications to the International Standards for the Professional Practice of Internal Auditing (Standards). This document outlines the specifics of those changes which clarify the roles and responsibilities of internal auditors and the chief audit executive, increase the focus on the Quality Assurance and Improvement Program requirements, and ensure the audit plan addresses the organizations strategic objectives. The purpose of distributing this document to the Fidelity Investments Internal Audit department is to inform the audit teams of these new standards in a concise manner.

KEY CHANGES TO ATTRIBUTE STANDARDS

ORGANIZATIONAL INDEPENDENCE
Whats New? The IIA has modified Standard 1110 to include two additional bullets: Approving the internal audit budget and resource plan Approving the remuneration of the chief audit executive

INTERNAL ASSESSMENTS

Whats New? The IIA has modified one of the bullets of Standard 1311: Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices

EXTERNAL ASSESSMENTS

Whats New? The IIA has modified phrasing in Standard 1312: The words reviewer and review have been replaced with assessor and assessment respectively.

KEY CHANGES TO PERFORMANCE STANDARDS

PLANNING
Whats New? The IIA has modified the interpretation of Standard 2010 to include the following: If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organizations business, risks, operations, programs, systems, and controls.

RISK MANAGEMENT

Whats New? The IIA has modified Standard 2120.A1 to include an additional bullet: Achievement of the organizations strategic objectives 2013 REVISIONS TO THE IIA STANDARDS PAGE 1

CONTROL

Whats New? The IIA has modified Standard 2130.A1 to include an additional bullet: Achievement of the organizations strategic objectives

PLANNING CONSIDERATIONS

Whats New? The IIA has modified one of the bullets of Standard 2201: The adequacy and effectiveness of the activitys governance, risk management, and control processes compared to a relevant framework or model; and The opportunities for making significant improvements to the activitys governance, risk management, and control processes

ENGAGEMENT OBJECTIVES

Whats New? The IIA has modified the phrasing of Standard 2210.A3: Adequate criteria are needed to evaluate governance, risk management, and controls. Internal auditors must ascertain the extent to which management and/or the board has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management and/or the board to develop appropriate evaluation criteria.

DISSEMINATING RESULTS

Whats New? The IIA has modified the interpretation of Standard 2440 to include the following: The chief audit executive is responsible for reviewing and approving the final engagement communication before issuance and for deciding to whom and how it will be disseminated. When the chief audit executive delegates these duties, he or she retains overall responsibility.

COMMUNICATING THE ACCEPTANCE OF RISKS

Whats New? The IIA has modified the phrasing of Standard 2600 to include the following: When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board for resolution. The IIA has added an interpretation portion of Standard 2600: The identification of risk accepted by management may be observed through an assurance or consulting engagement, monitoring progress on actions taken by management as a result of prior engagements, or other means. It is not the responsibility of the chief audit executive to resolve the risk.

Prepared by: Michael Evanoff Information Technology Audit Intern Fidelity Investments - Internal Audit Department October 7, 2013 michael.evanoff@fmr.com

2013 REVISIONS TO THE IIA STANDARDS

PAGE 2