AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Pulse of change – internal audit at British Heart Foundation A&R Magazine Nov Dec 21


Charities exist to raise and distribute funds, so what happens when key elements of their funding supply are cut off overnight? This is the situation that faced the British Heart Foundation (BHF) when the first UK Covid lockdown abruptly closed their network of 730 shops and cancelled all of their face-to-face fundraising activities. The way in which the charity’s Risk and Assurance (R&A) Team responded to the disaster, changed the way it worked, supported operations and management and introduced innovative ways of working, won it the Audit & Risk Award for Change and Innovation in a Crisis, as well as a commendation for Outstanding Team – Third Sector.

“During the crisis, our income took a massive hit – we were losing millions of pounds each month, because our retail network was unable to trade and all of our face-to-face fundraising events, such as the London to Brighton bike ride, were cancelled,” explains Rohan McMillan, head of risk and assurance at the charity. 

His team of 11 people is split evenly across retail and non-retail operations. On the retail side, most of the R&A team were furloughed in the first lockdown, since they were unable to undertake shop visits. But when the second national lockdown began, many were redeployed into other departments to offer their skills and expertise in areas from health and safety to IT and finance. Managers were aware that this could lead to questions about independence once these people returned to internal audit, but McMillan was confident that their co-sourcing arrangement would enable them to manage this risk.

“I was keen to put our team front and centre of the BHF’s Covid-19 response in order to actively support this and our organisational recovery. From the outset, it was clear the team had a unique set of skills and attributes which could easily be deployed to support the response, while ensuring impartiality and fairness as we returned to our roles in the future,” McMillan says.

“There was some initial resistance to crossing boundaries, because we are naturally keen to protect our independence and objectivity, but it was obvious that we had to roll up our sleeves and use our talents and skills to help out, and it was in keeping with our values of ‘brave, informed, compassionate and driven’,” he adds. “We’ve used the IIA Code of Ethics as the basis of discussions about what we should and shouldn’t do but, as a result of getting involved, we are now more adaptable and flexible and it increased our confidence and our exposure in the charity. We are asked for our opinion far more now than we were before.”

The team is also responsible for risk management and, from the outset of the pandemic, it was clear that it needed to reprioritise its risk focus. Working closely with the executive group and management, the organisation’s risk manager, Alex Paterson, conducted a full review of the BHF’s risk registers to help reprioritise the focus and approach during the pandemic. This meant that they could temporarily remove many longer term strategic risks and focus on those that were more critical.

McMillan and Paterson also joined the BHF’s Gold Coronavirus Response Group, convened to co-ordinate the organisation’s actions from the start of the crisis. Over the following couple of months, management asked the team to establish and lead two additional response groups – a Silver Second Wave Group focused on plans to re-open shops and prepare for subsequent lockdowns or restrictions related to Covid-19, and an Incident Response Group, which met daily to track national and local news stories as well as government reports. This provided a single source of information to underpin business decisions and help the charity to ensure that it operated safely and in compliance with Covid safety rules.

Business as unusual

Realising that their planned audits were both impractical and no longer focused on current priorities, the corporate audit team, led by Frankie Johnson, introduced a revised audit process, which produced short lessons-learned feedback reviews that took around three weeks (rather than the usual eight for a full audit). These did not offer full assurance but did ensure that management received key learnings about the charity’s business continuity so they could adapt and respond rapidly. In turn, the short reviews enabled internal audit to explore and develop new agile auditing techniques that they could use to improve and accelerate the way they deliver audits once their “normal” audit routine began again.

When it came to the retail sites, all full site audits were postponed, but retail audit manager Tim Baker developed a “support visit” programme that could be delivered by the audit team under Covid safety rules. The programme focused on helping individual shops to re-open and staff to return to work safely after lockdowns. The auditors also captured data and feedback that they reported regularly to central operations on how effectively the Covid safety precautions were being embedded to help ensure that any issues were identified and addressed quickly.

McMillan is confident that this timely interaction of feedback reviews and support visits, which enabled rapid and targeted action, strengthened the reputation of the R&A team in both the retail operations and across the wider organisation. 

Well covered

One big challenge during lockdowns was to satisfy insurance requirements for unoccupied premises and to find new ways to assess and monitor shops while they were closed. The team worked with colleagues in security and income protection and in central operations to develop a range of new ways to monitor premises remotely and flag up anomalies that might indicate a need for a physical maintenance visit. Using live CCTV feeds, electricity usage data and till network connectivity reports, the team was able to identify issues including burst pipes, storm damage and possible intruders. Monitoring the estate remotely meant that the team could satisfy insurers without putting staff at unnecessary risk. 

An unexpected bonus was that the team managed the transition to a new insurer during the pandemic and the new arrangement saved the charity £80,000 a year. McMillan points out that switching to a new insurer typically involves collating information for the tender from every one of the charity’s directorates and this was the first time it was all completed remotely.  

Lessons for the future

McMillan believes that the R&A team has learnt to be more empathetic during the crisis and has increased its reputation and its understanding of the organisation and the people who work in it. 

“We found that the three-week feedback assessments and support visits went down very well with managers and teams in other functions, because we really knew how people were responding to, and coping with, change. Within the team, we established a virtual ‘coffee morning’ every day at 9am to help us catch up with each other socially and raise spirits. We’ve kept this going and now do it three days a week,” he says.

Remote working for at least a few days each week is likely to remain important in future. Experiences in lockdown demonstrated how efficiently the team worked from home and McMillan hopes that a flexible working environment will help them to recruit people with scarce skills, such as IT, from further afield, as well as accommodating staff who already live further from offices or who have moved away from cities. “While the technology and the use of Teams has held up incredibly well, so too has our team’s appetite for working in a different and dynamic manner. Daily team meetings help to bring the R&A team together more, meetings with stakeholders tend to be more focused and regular, while still informal, ‘side-bar’ chats have replaced tea point catch‐ups,” he says.

They have also learnt lessons from the changes they made to audit planning and McMillan says these will continue to evolve in the post-pandemic era. The team has restarted eight- to ten-week risk-based in-depth audits, but is also using more agile audit planning. It has abandoned its former 12-month planning cycle and introduced an Audit Log, which it re-visits with management and the audit committee each quarter. 

“We give feedback on what we’ve done and our priorities for the next period and report this to the audit committee each quarter. We’re confident about our plans for the next four to six months, but after that we’re not committed to any particular audits and can respond to emerging needs and focus assurance where it’s needed most,” he says. 

The R&A team is currently engaged in a third round of scenario planning, trying to work out what is likely to happen in the crucial retail season before Christmas and considering the risks of a bad flu season, recruitment challenges, changes to shipping charges, rising gas bills and the effect of increased ventilation in shops on heating. “About a quarter of my work is still focused on Covid-19 issues,” McMillan says.

He adds that they will need all their new flexibility to deal with rapidly developing risks, such as the impact of climate change. “Two or three years ago, this was not a big issue for managers, but now it’s important and we can see many potential impacts from it, so I think it will be a key audit in the coming year,” he says. “It may be that demand for our services from cardio-vascular patients will increase as a result and we will need to plan accordingly. In our retail division, we may need to look differently at seasonal stock and we have a social responsibility to think about our fleet, and how we heat our offices and shops. We also need to consider what effect hybrid working has on our carbon footprint.”

However, McMillan is confident that the charity is in a much stronger position if another national or international calamity occurs in future. “As an organisation, we are much more flexible and agile than we were. Some of this is down to technology. If the pandemic had happened two years earlier the situation would have been very different. But we mustn’t get over-confident and believe we’re prepared for anything – for example, we have been hugely dependent on digital tools and everyone’s home broadband during the crisis. If this stopped working it would hit everyone,” he warns.”

He believes that management is now more appreciative of internal auditors’ broad view of the organisation and realises that it can be a source of innovation and ideas. “Rather than being seen as wholly focused on risks and controls, we can also help to spot improvement opportunities in the organisation,” he says. “This is more interesting for us and is appreciated by managers.”

McMillan knew his team had done well, but winning the award gave everyone a “huge buzz”. “We’ve got cracking people here who have worked so hard, so it was great to be able to show management that this has been recognised.” 


This article was published in November 2021.