If there’s one government department that matters to all the working population of the UK, it’s HM Revenue and Customs (HMRC). Not surprisingly, given the eye-watering sums involved (it collects more than £627.9bn in taxes each year to fund our public services), providing assurance on the effectiveness of systems as they are transforming to more digital platforms is a key challenge for its 65 internal auditors. This is a relatively small team, which has introduced a number of innovations to its audit practices and planning that have significantly improved its capabilities and its reputation with both senior management and the audit committee.
Alison Bexfield, director of internal audit at HMRC, joined the team in 2016, having previously been head of internal audit at the BBC. She found that it had a mature approach to internal auditing and this enabled her to build on strong foundations. “The team already had in-house software on which they ran their audit processes. One initial aim was to develop this further to improve the way it tracked audit actions,” she says. “Opening this up to business managers, giving them greater visibility of the open actions and the ability to update their status, freed up auditors’ time to focus on assurance of completed actions rather than on basic administration.”
She also wanted to develop the team’s ability to use HMRC’s data to provide assurance insights. “We have huge amounts of data at HMRC and the trick is to identify not what one person can do with it, but what the bigger potential is,” she says. “We wanted to work out how it could be used in future to change, innovate and develop, with a view to embedding sophisticated automated controls within systems.”
The management team expected the key challenge to be identifying the data they wanted and how best to use it: in fact, it turned out to be accessing the data in the first place. As you would expect, HMRC treats data security extremely seriously, and internal audit needed to clear various hurdles. Accessing data proved far more complex than they expected.
“I can see huge improvements that will happen here in the future – there’s so much potential to make it better and more efficient, for example by using whole-population testing rather than sample testing, and building in continuous autonomous testing algorithms,” Bexfield says. “It’s all about changing our mindsets and becoming more ambitious about what we want to do and know we can achieve.”
“We’re looking at doing more agile processes, because these have the potential for improving real-time reporting,” she adds. “We’re not embracing this wholesale yet, because it has clear risks as well as benefits, but we do want to speed up our auditing wherever possible: having the perfect report that’s taken too long isn’t helpful.”
Reports that are not understood or acted upon are also not helpful, so Bexfield has focused on improving reporting communications. “Different managers need different types of audit stories telling them what the reports mean to them in the best way. So each report now starts with a single page that tells the story for our most senior stakeholders: not just the findings, but what it means to that particular reader, tailored to their role.”
The rest of the report is presented as an overview of the most significant findings with additional detail in appendices for those that need this.
The search for innovation and improvement is central to what Bexfield looks for in the team and what she sees as the future of internal auditing. “Organisations are becoming ever more complex and I increasingly need people who can see across boundaries and understand how different areas can work better together, bringing together groups of people,” Bexfield explains. “Individual audits only go so far: it’s how these are joined up and used in aggregation that’s important. I want my team to have the time and space to think about this.”
Far from doing auditors’ jobs for them, the technology should make auditors’ roles more challenging and strategic, Bexfield explains. Where internal auditors might once have been asked to analyse the data, the profession now needs people who demonstrate imagination and a desire to find new ways to use real-time information more effectively. It also needs communicators who can bring disparate groups and functions across the business together to collaborate.
“As basic testing becomes more automated, the skills needed to be an adviser become more important,” she says. “I want curiosity. No one person will have all the necessary basic skills, but I am looking for people who have the imagination to say ‘If we had this information and this information, we could do x’. I want to find people who can look beyond a tactical local solution to a problem and suggest more wide-ranging strategic solutions.”
Internal audit has to see itself as a partner to senior management, she adds. “We need to focus on developing our people skills and hiring people with the skills to further this partnership. We want people who are curious about how things work, but who also want to make things happen. Unless the actions that come out of audits improve the business, then you haven’t achieved much.”
This approach requires individual personal development as well as for managers to recognise that imagination and creativity cannot be switched on and off; they need flexibility and space to flourish. One innovation in HMRC’s new planning processes is to allocate 20 per cent of resources to responding to ad hoc requests from management. Bexfield cites the fact that this element is constantly oversubscribed with requests as proof of its usefulness to management.
She has also built in time for staff to offer advisory services and opinions in the early stages of project development. “This is about giving advice at the most useful point in the process,” she says. “We can see the big picture across the whole organisation, so we can spot opportunities and bring people together from different functions. We meet everyone and we know what’s going on, so it makes sense for us to help if we see a way to improve things without compromising our independence.”
The key to getting this right, she adds, is knowing when to leave managers to carry on with the implementation. “It’s natural to want to help and be involved, but we can’t overstretch ourselves and we have to work efficiently.”
Another innovation that has had a significant impact is the development of an “assurance diamond”. This asks internal auditors to look at extra dimensions every time they give their opinion. Government internal auditors are commonly asked to provide a rating with their opinions and the diamond adds in three new factors:
• Risk management (are risks understood with appropriately designed controls?).
• Control effectiveness (are the designed controls working as intended?).
• Governance (is there proper accountability and ownership and is the second line of defence working?).
“We now give the overall rating at the top, followed by individual ratings for these three elements below,” Bexfield explains. “It’s enabled us to focus more on the design of processes and to identify potential improvements.”
She also believes that the assurance diamond has embedded the Three Lines of Defence model across HMRC and helped managers to understand how it works and what the audit opinion ratings mean. “It helps the conversation if they already understand how the lines of defence work for them,” she says.
In addition to this, the team has benefited from a comprehensive assurance mapping exercise, covering all the multiple forms of assurance across HMRC. “One problem with assurance mapping is that it can become horribly complicated,” Bexfield explains. “We tried to keep it as simple as possible so senior management can see at a glance who provides what assurance across the organisation.”
Part of this drive for simplicity involved producing a simpler overview map as well as other, more detailed, versions that the auditors can refer to if they need to drill down to see the types and quality of assurance offered. Bexfield says that managers have recognised and appreciated the efforts internal audit has made to keep all audit communications as simple and straightforward as possible.
In addition to helping management, clear and effective communication has also helped to enhance the audit team’s sense of “community”. This can prove challenging given that the auditors work from hubs in Newcastle, Nottingham, Manchester and London, with a few in Telford and Worthing.
“I try to get to all the areas regularly, but it’s also about recognising good work by individuals and ensuring that all our people get information about what everyone else in the team is doing. It’s important to show everyone in the team that we do respond to suggestions and feedback,” Bexfield says.
Improved technology is helping people to work more closely across locations and ensuring that everyone has training and development opportunities (as well as, importantly, the time to complete them). In addition, Bexfield is keen to move auditors around different business areas so they gain a variety of experience and are exposed to different managers.
The entire team is brought together for an annual two-day conference each year and this provides further opportunities to connect different elements of the team and improve communication with audit managers. “Our last conference featured a Dragons’ Den scenario in which the senior leadership team were the dragons and auditors pitched ideas to improve the way we do things,” Bexfield says. Suggested improvements ranged from changes to the induction process to new ways to share knowledge across the team.
“There were eight teams and each attracted at least one sponsor. Since then we have tracked progress and fed back developments. Senior management sponsorship was important because no one wants to be the dragon who hasn’t progressed their idea by the next conference,” she explains.
Winning the Audit & Risk Award was an important recognition of what the team has achieved so far, as well as an indicator of its potential for future improvements. Bexfield emphasises that the award recognised the value of every person’s contribution, no matter how high profile their individual audits.
“It gained us lots of recognition in the wider organisation and means that people can go on in their careers and say ‘I was part of an award-winning team’,” she adds. “Great audit teams are made of people. I’m lucky to have a great team, but it’s really important to continue to train and develop and encourage these people. That has to be the priority.”
This article was first published in September 2019.