Prepare for the world to become different, quickly. “The rhythms of life [have changed; we’ve turned into these sort of nomadic creatures in the past 20 years. And our political structures and our homes… haven’t flexed to accommodate that,” said Balaji Srinivasan, former chief technology officer of one of the world’s largest cryptocurrency exchanges, Coinbase, in a recent interview. “The institutions that we have are simply not built for this at all. And that’s where they’re straining and stressing against it and they’re going to give, and we have to have a vision for what’s on the other side.”
Currently, that vision is foggy. In time it will pull into sharper focus, but the basic premise of a world in a state of rapid flux, and the need for institutions – political and corporate – to flex to meet this change, is clear. The pandemic and the way it has reshaped economic activity and business models has reinforced the pre-existing need for organisations to adapt faster to their surroundings and has provided inspiring examples of what is possible with sufficient incentive.
Internal audit has experienced the same forces – and similar successes. Most internal audit teams have operated remotely over the past 18 months, something that the majority of chief audit executives (CAEs) would have viewed as impossible without a long change programme a couple of years ago. Anecdotal evidence suggests that the shift has delivered efficiencies. It is often easier to contact and interview auditees and many internal audit teams have been congratulated for delivering their audit plans long distance.
But is delivering an inflexible annual plan in an innovative flexible way rather like Ford breeding faster horses, instead of developing the Model T motorcar? What is the point of delivering efficiently an annual plan that quickly loses relevance? Similarly, where is the value of internal audit identifying control weaknesses, but taking so long to investigate and write a comprehensive report that a crisis occurs before management reads it?
“Things change quickly, so flexibility and adaptability is hugely important,” says Jim Pelletier, vice-president of professional standards at IIA Global. “One of the biggest mistakes that internal audit leaders make is defining one of their key performance indicators as their ability to achieve their audit plan. That’s created a perception with boards and management that if you didn’t meet your audit plan that was set 18 months ago, you’ve failed. It’s actually a good thing, provided you’ve updated your audit plan.”
If nothing else, the pandemic demonstrated that internal auditors need to understand what’s going on outside their organisation as well as they understand operations from the inside. CAEs, in particular, need to develop keen business and market acumen to improve the way they scan for external activity and pressures so they can then “connect the dots” using their knowledge and holistic view of the business, Pelletier adds.
Improving internal audit’s ability to combine its internal and external world views should bring potentially overlooked issues to the business’s attention and help it to respond faster and better. The more risks you see, and the broader your field of vision when you scan for risks, the more you should be able to focus the business’s attention on those that really matter. This is far more useful than sticking to a plan because it’s there and because it has been agreed by the audit committee.
Over the past year we have seen how internal audit strategies can adapt rapidly to meet changes in risks to the business, and huge variations in the impact of Covid-19 on different sectors and businesses, says Graham Gillespie, partner at accountancy firm Wylie & Bisset. “The internal audit strategy has had to evolve more than ever, because the speed of change –
and the speed at which risks are changing – is probably greater than ever before.”
Acknowledging the pace of change and the need for further change is one thing, but what practical steps can internal audit take to become more efficient and responsive – especially at a time when most teams have already implemented significant changes and many are being asked to deliver more without increased resources?
For a start, it’s important to recognise what you have already achieved during the pandemic and to see this as encouraging evidence of the versatility and strength of the team. Further improvements should be a case of building on this momentum, not of piling more pressure on internal auditors who are already tired and stressed.
The next step is to look at and learn from what others are doing – and not just in your own sector. If you see something that interests you, get in touch and talk to the people involved. An important lesson from the Covid vaccination programme has been that collaboration and shared knowledge really help to get things done faster and more efficiently. The Chartered IIA’s Community Hub and networks are a good place to look for inspiration and contacts.
One common approach among mature internal audit teams has been to adopt Agile methodologies, originally used by software developers. Notably, the fourth of four core priorities according to the Agile Manifesto is “Responding to change over following a plan”.
Those already treading the Agile path are replacing formal audit plans with “audit backlogs” and conducting fieldwork in short, sharp “sprints”. The concept is about introducing a more iterative and responsive approach to assurance. While not easy to embed, this is arguably the “low-hanging fruit” of auditing at the speed of risk and various elements have been widely adopted. Some internal audit teams have used Agile principles for several years and it is relatively easy to find examples and experienced users to talk to.
Beyond this, internal audit teams are constantly coming up with ideas and tools, often triggered by a specific need, but offering ideas and lessons that others can develop and adapt. At Skipton Building Society, for example, the third line has developed a “live risk heat map”. The idea came about when the society’s estate agency subsidiary Connells acquired Countrywide and internal audit needed to risk assess the new business rapidly.
“We came up with an inventory of operational risks, regulatory risks, information security risks, IT risks, and so on. We then met the relevant business heads and reviewed the key risk indicators and management information and, based on that discovery work, we shone a spotlight on the main risks that management would need to follow up very quickly post-acquisition,” says Steve O’Regan, chief internal auditor at Skipton.
The map plots risk probability versus impact or management awareness like a traditional map, but the difference is that it is a “living and breathing” tool that is updated monthly, not a static document dusted off once a year. Having seen the value it provided, O’Regan decided to roll out live heat maps for each of the audit portfolios in his remit, from operational and conduct risk to IT and information security risk, and everything in between.
“We still have our audit universe, but the heat maps are complementary to it. They are early warning indicators that give a lot more confidence to the executive that we are pointing our limited resources at what matters most,” O’Regan explains. “It’s had a great endorsement from the audit committee too, because it focuses them on the assurance they want over the next six months.”
The need to stay close to the action during the pandemic was a key driver for innovation at Bank of Ireland, according to Steve Sanders, the bank’s group chief internal auditor. Early in the pandemic, when lenders were offering repayment breaks to borrowers, the bank had to revise its controls and processes quickly. Sanders wanted internal audit to be present when the decisions were made, rather than flagging up potential risk oversights once things had failed.
He then developed the lessons from this into a new product that could be used more widely – a memo entitled “Agile Insights”. “If we’re attached to a project group, steering group or programme management board, or
if there’s a live process where management is formulating a response and changing processes, we’re connecting with that and giving our feedback as we go,” he says. “It’s quick and concise and highlights, for example, ‘Here are some thoughts we have’ or ‘Here are some things we believe you should incorporate as you build this out’. It means you get your views out there.”
Unlike audit reports, these memos are not rated. They are simply a means of raising concerns early and providing additional insight quickly, based on what the internal audit team is seeing. “So far, it’s been remarkably well received by the business. Traditional approaches still face resistance. There’s this whole negative tone associated with auditing, because the first line feels like it’s been caught out or that you’re telling management that their baby’s ugly,” he says. “This approach complements the traditional internal audit work we do and, together, they are a much more effective way of driving the right outcomes for the bank.”
At the heart of this initiative is the need for a more responsive and fleet-footed third line that is more closely involved with the cut and thrust of the business. The profession is shifting. Last year IIA Global updated its Three Lines Model, dropping the word “Defense” and instead emphasising the need for collaboration and alignment between internal audit and the second and first lines. The third line is nothing without its independence, but it is possible for internal audit to remain objective while closely shadowing business activity and offering its own perspective on how well risks are monitored and managed.
“The spirit should be to pre-empt risk, rather than waiting until risks are crystallised to confirm that the business made a mistake two months earlier,” says Sanders. “The bank’s moving at such a pace that sometimes we are in there with the first line giving our input while management is making a decision, and that’s a good thing. We can still maintain our independence.”
Not everyone shares this view. Some recognise the benefits of a real-time approach, but still question whether there are sufficient safeguards against blurring the traditional role of the third line.
“It’s a reasonable challenge. How do we audit at the speed of risk while still being a third line, and not taking on what should be a first line or second line role?” Sanders reflects. “And how do we define that for the new world?” It’s a question that should concern all CAEs, however the answer is not to abandon cars for horses, but to develop practices and safeguards to make fast, efficient and timely internal audit fitter to meet future demands.
For case studies and research on the impact of disruption on internal audit visit the Chartered IIA’s disruption webpages.
This article was first published in September 2021.