As we ease out of lockdown and reopen our shops and offices, one mantra keeps being repeated: the new normal will not be like the old normal. But what does this mean in practice? And how can we use our recent experiences to improve what we do in future?
Any period of immense disruption sends ripples through many interrelated areas – from the economy to our working practices, means of travel and even our deeper political and social beliefs. It makes many people start to question what they want and what they value. And such questions can be unsettling and disturbing.
In a business sense, the word “disruption” usually refers to a new entrant to an established market who uses innovative ways to transform the sector and pull market share away from its larger, less agile and more traditional competitors. The disturbance it causes forces others to adapt rapidly and may lead to a permanent and long-term realignment of the key players and their customers.
Covid-19 has provided a similar impetus for change, but far more widely. It has shaken up all sectors to a greater or lesser extent and has forced organisations and their customers out of their comfort zones and into new ways of operating and thinking. It is already clear that the crisis has accelerated many long-term trends such as automation and the switch to cleaner, more environmentally friendly power.
It is probably too early to see whether more people will continue to work from home, or to shop in different ways, in the longer term. However, it seems likely that positive experiences during lockdown and increased familiarity with digital tools will accelerate trends towards more flexible working and shopping that have been long predicted but slow to develop. Similarly, the need to reduce physical interaction is likely to drive new demands for automation and to cause organisations to explore more and innovative uses for artificial intelligence (AI).
Ripples will spread further outwards as the economy moves up a gear. Changes to working practices and shopping habits, delays to supply chains and requirements to practise social distancing will have further effects on factors such as offices, high streets and travel. And, as with all disruptions, there will be winners and losers.
Some of these can be predicted now – the CEO of Barclays has questioned whether our largest banks need offices that hold 7,000 people, British Airways announced huge redundancies as it admitted that air travel may not return to pre-crisis levels for years (if at all) and BP changed its view on whether it was worth exploiting some of its remaining oil reserves. Such decisions will have lasting repercussions for city centre and regional property prices, local and national suppliers, public and private transport and for energy investment and costs. Others will certainly emerge over the coming months.
It is essential that even those organisations not directly affected by massive disruption from Covid-19 watch and learn from the consequences it is having on others, as well as on their own stakeholders. Disruption on this scale drives change and innovation. Those that fail to spot these shifts may miss out on opportunities in their own sectors, or fall behind more sharp-eyed and imaginative competitors.
There are also important lessons to learn from the experience of being disrupted and the way we respond. Covid-19 was a surprise, but not unpredictable – pandemics have happened before and will happen again. We already know of other, greater disruptors that are approaching at speed and would be foolish to ignore anything we can learn from this one that could help in the next.
Lise Kingo, executive director of the UN Global Compact, has called the pandemic a “fire drill” for the climate crisis. She also pointed to the way in which the crisis has highlighted social inequalities that have fuelled the global protests for Black Lives Matter. The message is surely that we should not go back to business as usual, even if this is possible, if it means shutting our eyes to rifts and practices that should be addressed.
Challenge is key. Disruption – by a competitor, virus or demonstrators – challenges us to adapt to circumstances, improve the way we do things and to create change. This may mean changing our processes, our physical surroundings, our skills or our attitudes, or all of these together.
But challenge is also what internal auditors do. Internal audit is the group in a business, above all others, with a remit to challenge the executive and the status quo, whenever the business and its managers miss opportunities or fall short of their stated aims and standards. It may take courage and tact, but a crisis is a good time to demonstrate value and to offer ideas for solutions, as well as criticisms.
Organisations that may have been happy to ignore suggestions that seemed unnecessary embellishments in good times, may be more receptive when markets are under pressure. Similarly, internal auditors who have an in-depth knowledge of the whole organisation, its strengths and weaknesses, and a general overview of risks across the economy and sector are in a good place to highlight innovations and best practice that could help executives make important decisions at a critical time.
Internal audit is there to protect the organisation, but its remit to challenge and to speak truth to power also makes it clear that protection can involve being proactive and innovative. At times of crisis, it is not enough to criticise or help to patch up what has already been done. Internal audit can also provide ideas and insights, a fresh point of view, or a new way of looking at and assessing data that produces alternative choices.
To do this effectively, it also needs to challenge itself and turn its scrutiny on its own practices and sacred cows. What can – and should – be changed? What can be dropped or superseded? What other information can be tapped and what other voices consulted? Disruption is a massive, often existential, threat for businesses and for individual livelihoods. Internal audit is no exception. However, by spotting and seizing the opportunities for change and innovation that it brings, audit teams can help themselves, while also helping their organisations.
Data is valuable and risky, but the risk of not using it at all is quite as serious as the risk of using it inappropriately. Modern organisations gather information constantly from sensors in equipment, social media, customers and multiple other sources, but many are still trying to deal with it using a beardy bloke who sits in the corner with spreadsheets. This isn’t enough.
We’ve seen recently how the quality of your data affects the quality of your decisions – particularly in times of challenge or crisis. We have watched scientists model the consequences of national responses to the Covid-19 crisis, with varying success, and have seen how Far Eastern countries that had data from previous pandemics quickly identified and implemented solutions. This made it clear that it’s not a question of just collecting and storing data – you need to use it constructively.
Data has huge potential value. If used well, it can help organisations to understand their customers, markets and risks. But most people don’t have the skills to do this and those who do are snapped up by the highest bidder. The National Innovation Centre for Data, which is funded partly by the government and partly by the University of Newcastle, is helping organisations to upskill their own people to use their data better.
If an organisation comes to us with a real, defined data problem that they need to resolve, we will work with them in a three- to six-month project and will teach their people the skills involved. Most businesses don’t need a team of PhD-level data scientists. They may need one, but they also need many others to be competent and aware of the issues.
Organisations usually believe their data is in a far better state than it actually is. Too many people collect data without knowing why, or what for. Often, it’s seen as a legal formality. One important step is to create a feedback loop, so that those collecting data know why it is valuable to the organisation and see a return on it. We also find that governance functions are primarily concerned with protecting their organisation from data misuse. They seem to think that it’s safest to lock it away and not use it. But if other valuable assets were locked up and not used, people would ask questions. Why is data different? One fundamental issue is that companies do not value their data – they don’t realise what they have and what it’s worth.
Those who already use data well are in a much better position to deal with risks that arise suddenly, because they have more information and can model the consequences of actions. This is even more true now that the Covid-19 pandemic has accelerated the trends towards remote working and digital interfaces with clients and customers. All the data from these interactions can be collected and analysed.
In the longer term, more organisations in traditional sectors will start to see that their greatest value lies in their data. This is particularly true of organisations facing ongoing disruption from wider market trends, such as the oil and gas sector and car manufacturing. They need to consider what they will do if their data becomes more valuable than their business model.
Small disruptive technology companies will become less common as the largest organisations buy them up and absorb them into their research and development. The turnover of the largest tech players has stabilised partly because the largest digital organisations, such as Amazon, now have a huge advantage over start-ups because of the data they hold.
All organisations must have a clear data strategy – it’s too important to outsource. Companies need to have the basic skills in-house and to understand what data means for them and for their business.
1 If you can spot patterns and trends, for example, identifying when customers are likely to leave you,you can highlight the warning signs and take advantage of opportunities to upsell and market products.
2 Equipment maintenance – most organisations maintain equipment on a fixed basis. They don’t analyse when faults occur or spot the warning signs.They then waste time when the machine stops working and on checking things that are working fine.
3 Digital twinning allows organisations to build a virtual model of their business, so they can experiment and test the impact of any change. If you make small incremental changes it can be hard to identify what each does. A digital model allows you to work out how you can change faster and better. This can be a game changer when you are responding to rapidly evolving situations or emerging challenges.
4 More and more organisations are using business information systems, such as Power BI. These givesemi-skilled people the power to slice and dice data and explore how they can use data to improve andinnovate. This is the tip of the iceberg and we still have a long way to go.
We are seeing four major sources of disruption impacting internal audit: technological disruption; business disruption (such as major corporate programmes, reengineered processes, new markets and the supply of people and talent); operating model disruption (such as the emergence of remote working and shared service centres, virtualisation of services and offshore working); and market disruption (geopolitical changes, new regulations, the Covid-19 pandemic and changes in customer behaviour). Each of these is connected and affects the others. For example, the Covid-19 pandemic (market disruption) has prompted many organisations to embrace collaborative technology in a way that they may have talked about, but not fully embraced before.
Internal audit teams are finding that technology doesn’t just enable them to have team meetings remotely. It also means they can capture and share audit findings and present things globally in new ways. It changes the way internal auditors relate to their customers and how they communicate findings and risks. Managers can become far more proactive and can receive findings and data on mobile devices and drill down to the level they need. When combined with data analytics capabilities, this is a powerful tool. Most internal audit functions say they wish they’d done this earlier.
This new level of collaboration with stakeholders, requires new controls and new ways of working. It won’t be appropriate or desirable for all stakeholders to access the same levels of information and there may be legal implications. However, with the right safeguards, it can potentially make audit data and findings far more interactive and can change the relationship between auditor and auditee.
It’s important that internal auditors take their stakeholders along with them. Some stakeholders will welcome the chance to explore the data more independently, but others won’t want the responsibility and will need to understand how it can benefit them. It requires new approaches from internal auditors who must communicate the main themes and issues and direct management attention in new ways.
One mega trend we’re seeing is the need to be able to balance risk effectively. With any kind of disruption, you get great opportunities and also potentially significant downsides. For example, we’re seeing this in the debate about whether a track and trace app is an invasion of privacy or the answer to helping us stay healthy. How much data are people prepared to give away for safety?
In other areas, the trade-off is efficiency against insight. If a robot performs a task, you may lose critical oversight and human analytical judgments. Artificial Intelligence may speed up transactions and open up your products to more people, but customers will lose human contact and may become less loyal. These debates are important at national and organisational level and internal auditors must consider them. New laws may come in and customers may demand different levels of protection or reassurance.
Tips for embracing technological disruption:
1.) Have a clear vision. Lay out a clear plan. What people and processes do you need? What do you need to stop doing (you won’t benefit if you continue to do redundant things as well as the new ones), start doing and continue to do? Constantly review your plan and make sure dedicated people are responsible for it.
2.) Be in lockstep with the wider organisation.
It’s usually best to be one step ahead of your organisation – not in a different league entirely. Internal audit is well placed to be a catalyst for change. The breadth of the internal audit remit puts it in a good position to demonstrate to the rest of the business the art of the possible. In many cases, internal audit can showcase practices that are then adopted by the rest of the organisation.
3.) Leverage what’s there. This doesn’t have to be all about buying expensive new technology. Look at what you already have and whether you can use it more effectively. Most organisations already have Microsoft PowerBI and do not use all its capabilities. You may be able to do more by dedicating thought, time and training to it with no extra tools.
Above all, take time to stop and think about what you want to do and how you could do it better. Am I fulfilling my mandate in the best way? What are the opportunities? What are my pain points? What is the state of my talent and my people? What can I learn from other people and their experiences? How do you embrace human traits to the full?
Don’t go back to the old way of doing things.
We are, perhaps, more accustomed to dealing with multiple layers of disruption in our sector than others. We operate in geographies that are disrupted by physical crises, such as natural disasters and conflict, and such emergencies have wider repercussions. We need to draw on this experience – adapting our existing emergency preparedness work to respond effectively to the Covid-19 crisis.
The major disruption from the global pandemic (bearing in mind that we haven’t yet seen the extent of any second waves, or the peaks in some countries) is its potentially devastating impact on the Sustainable Development Goals (SDGs). I think this crisis could set back some of our “wins” from an international development perspective by seven to ten years. There are also tangible long-term threats to our funding model and base. Institutional funding may decline as nation states become more absorbed in domestic responses or more insular. We may see a potential transformation in philanthropic giving, but one cannot wait until one sees a financial gap before realigning the organisation’s response.
I am surprised at some of what we hear about the role of internal audit in the wake of Covid-19. When was it not incumbent on us to be deeply aligned with the organisation’s mission, strategy and crisis response? There is a clear emerging narrative around internal audit’s need to be particularly relevant now or face an existential crisis, but this has always been true. In the longer term, what internal audit can achieve depends on its credibility with the executive and with the board. Credibility makes it easier to ensure that management doesn’t make decisions without involving “critical friends”, and to ensure you are a part of (or lead) any post-Covid reviews.
The magnitude of this crisis has also brought the “lines of defence” model into sharper relief. Internal auditors must more astutely assess the effectiveness of the risk identification, management and escalation process across their organisations. An ineffective risk process can seriously impede an organisation’s true potential. Put simply, we need more second-line of defence leads to challenge constructively the executive and the status quo. If internal audit can support and help them to do this, we should. But where second line of defence leads become “dealmakers rather than deal questioners”, we must speak out.
We may even have to lead the way and corral, challenge and coach management to get necessary improvements implemented. I have found that management is usually receptive to these questions, but they are neck-deep in “response” mode and unwilling to invest the time. So they need constructive challenge and support. We also need to challenge the executive and the board to articulate their strategy around risk: What are they trying to achieve? What could get in the way and why? Where is this articulated? What is the appetite for risk? Is there a process for determining whether it has changed? Is there an appetite in place for so many novel emerging risks? If it’s not clearly articulated, then problems will arise.
This can be difficult for heads of audit because it can lead to “blurring” of the lines of defence and has potential impact on the effectiveness of governance and the need for safeguards. We also cannot fully take on tasks that we’re not responsible for, not least because it comes at the expense of the team’s wellbeing; so the nature and extent of this support should be clear. But in the immediate term, would one rather delve into what the organisation needs, or stick to the ostensible remits of the lines of defence? I know which I would choose.
The Covid crisis raises hard questions for organisations. We will be looking at whether our operating model is optimal, whether we are intentional and purposeful about working with our partner organisations, and whether we pool our global resources and use all the intellect at our disposal. How are managers deciding which projects should be dropped and which are key in the future? These are strategic choices, and internal audit needs to ensure that appropriate control mechanisms are in place to inform these choices. If this hasn’t been done in the past, it will be more difficult now. But it is imperative.
Lastly, internal audit must think harder about what “leading the profession and building the role of internal audit” means. We need to take a sharper look at ourselves. How much do we open our perfor-mance and processes up to scrutiny? How fast do we adapt? Where does our own innovation and disruption come from? Who is pushing it and who is sharing it? We should be engaging more with each other and using the Chartered IIA more to explore what innovation means to us and how we solve common problems.
The Covid-19 pandemic has affected parts of the retail sector very differently. At Sainsbury’s we have been helping to “feed the nation” and our colleagues have been working around the clock to keep shelves stocked and serve the most vulnerable people in society. We haven’t furloughed anyone and we’ve had to move fast to support the business and its response to the crisis.
We had just agreed our half-year audit plan when the coronavirus struck. At that time, the business focused on serving customers as best we could and ensuring that we kept customers and colleagues safe. We immediately suspended our plan for three weeks, other than a few key strategic audits, and our store audit team stopped store visits. This provided space for the business to respond to the pandemic and let us realign our plan to ensure we were focused on helping and supporting it.
Some members of our team were redeployed – for example, one of our team was seconded to group finance to support through the year-end process and the store audit team provided hands-on support in stores. Another two team members attended our internal “incident response team” so we could proactively provide advice and support as well as gaining real-time assurance. We knew, for instance, that people would have to take risks to meet new demands – quite rightly – so we focused on understanding how decisions were being documented and approved, so that, where and when appropriate, the control environment could be restored.
Our presence on the incident response team gave us a fantastic insight into what the organisation faced. There was never any question about whether we should be part of this. We were fortunate that, culturally, we were in a strong position to start with. We reviewed our existing half-year plan and the audit universe and asked what had become higher risk and what was now less important. We were already, for example, scheduled to review recruitment and gift cards. Both of these areas became higher risk as we recruited around 4,000 colleagues in a short period and the gift card system was used as a basis to roll out a shopping card for vulnerable people. We added audits where there was an inherent risk of fraud, error or cash loss.
We left the plan flexible so that we could add things at short notice. Everything had to be done fast and while everybody was working from home.
We experienced the usual challenges around remote working, agility, etc and, as the pandemic continues, an emerging challenge is how we maintain and share our knowledge of the business as it becomes harder to continue informal networks and conversations using technology. To help this, we’ve introduced three meetings each week that have no agenda so that managers can get together and discuss their thoughts and what they see going on. Remote auditing is entirely possible, but at some point, seeing how processes work in, for example, depots will be important.
On a positive side, the team adapted fantastically to remote auditing and working flexibly. We have proved we can be agile and flexible and will build this into our ways of working. The crisis has also renewed our focus on how we support the business. We’ve been looking at how Covid-19 affected different areas and how various teams managed their responses and what it means for our scope of work. Covid-19 is now part of every audit we do. After all, once this crisis is over, there will be others, so looking at how each audit area fared is a valuable lesson for the future.
From a resilience perspective, we were able to use some of our contingency planning for Brexit and we also tested our remote working capability. We would never have been able to conduct tests on this scale so, although no one wanted this crisis, it was an opportunity to see how our plans actually worked.
As we move forward, most businesses will rethink how they operate and internal audit must be fully aware of this, and the risks and opportunities it creates, so assurance can be aligned. The supermarket sector constantly responds to disruption, whether from the discounters or changing customer behaviour. The lessons we’ve learned from these helped us in the pandemic, and all the lessons from this period will be useful when the next challenge arises.
This is the first time since the 2007-08 financial crash that we’re talking to companies considering shrinking the size of their internal audit teams. Following that crash, there was a lull and then internal audit teams, particularly in regulated sectors, began to grow. The double-whammy of Brexit and Covid-19 has prompted many companies to examine their internal audit budget, headcount and structure. They are considering job location redeployment, headcount reduction and co-sourcing. The hardest-hit companies have made some redundancies and others are considering this. Some are relocating jobs to lower cost locations within mainland Britain, while others are moving roles to Ireland and continental Europe.
Further redundancies are likely – if your industry or company has been hit hard by Brexit and/or Covid-19, redundancy will be a possibility. This is an unavoidable and, often, a traumatic experience. However, it can also be an opportunity for a fresh start and to pursue something new. There has always been a shortage of good quality internal auditors and if you are made redundant there will be new opportunities – maybe not immediately or close to home, but they will materialise. You may need to compromise.
Job relocations have been occurring for a few years and will continue to do so as employers seek to build a workforce with a lower cost base. This is a double-edged sword, since employers need to balance cost savings and the availability of qualified staff, especially if they move jobs with niche skill sets. If you live in or near a major city outside London, job relocations can offer a career boon. We are seeing more career opportunities for internal auditors in cities including Birmingham, Edinburgh, Leeds and Manchester. Salary inflation will probably occur in these cities as more roles are created in areas with smaller numbers of qualified jobseekers.
Skills and experience count
Generally, the highest demand is for experienced internal auditors operating at the delivery level. At the moment, fewer organisations are hiring senior audit managers or trainees. Recruitment activity is, unsurprisingly, low for this time of year, although some companies are suggesting that things may pick up in the second half. Others doubt they will be recruiting until 2021. It’s not all doom and gloom – a number of fixed-term or interim job opportunities are emerging, while permanent hiring is subdued. Additionally, public practice firms are winning more
co-sourced internal audit work, so creating new jobs.
Most organisations are genuinely seeking a more diverse internal audit team, particularly in terms of gender and ethnicity representation, but they still want skilled, experienced internal auditors.
Far more companies are also offering flexible working. People are being told they can spend up to half their week working from home, even after the coronavirus crisis passes. The move towards flexible working is not new, but the pandemic has accelerated it, as organisations experience the new technology and see that results can be delivered during our enforced absence from offices.
Tips for job seekers
1.) Get interview practice. Interview processes have become more involved. Typically, you will meet three or four interviewers using structured or competency-based interviews often incorporating verbal, numerical and psychometric testing.
2.) Spend time writing a CV that reflects your writing skills as well as your knowledge, competencies and achievements. Tailor it to specific roles.
3.) Think about what you need to know before the interview – what do you know about
the company you’re meeting, what does the job require and how can you demonstrate your ability to deliver it? What can you bring to the party?
4.) Think about your communication style – are your answers too brief or too long-winded? Pay attention to the interviewer’s body language and facial expressions to assess whether you need to adapt the way you deliver your responses.
5.) Think about what questions you want to ask at the end of an interview. In addition to what the company can offer you, ask what you can contribute to help them achieve their goals. An interview process is a two-way street.
6.) Develop a long-term relationship with a recruiter you trust – you’ll be the first person they call when a job comes up.
7.) If you are interviewing via a video conference call, ensure that you have a good internet connection and also make sure that you’re in a suitable space without
This article was first published in July 2020.