Heads of Internal Audit Virtual Forum

10 February 2021

Please note:

  • All Institute responses are boxed and highlighted blue.
  • Where the chair comments in that capacity, this box is highlighted in yellow.
  • The comments from the President/CEO of IIA Global are highlighted in heather.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

Chair's opening comments

John Devine is our speaker today. John is Chairman of Credit Suisse International and an Audit Committee Chair for Standard Life Aberdeen.

John will share his insights as a board member to help you think about developing your relationship with your own audit committee. He is very much an advocate for the profession and will share his expectations of internal audit in what is an increasingly disrupted environment.


Participants

Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: John Wood - CEO, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA
Speaker: John Devine - Chairman, Credit Suisse International and Audit Committee Chair, Standard Life Aberdeen.


Key takeaways

• Focusing on the short-term is important but our biggest challenges are yet to come.

• We have all been adapting these past 12 months. The pace of innovation in business has been massive – exponential even with regards to communication.

• The challenges to come will be an acceleration of the things that are already happening.

• It would be foolish for internal audit to take its eye of the ball.

• The role of internal audit is to assess, help, advise and cajole.

• Organisations need effective governance to navigate through the now and the future.

• Thinking about the challenges – if you are not spending a great deal of time on these today - you should be.

  • Transformation – few organisations are not changing in major ways.
  • Digitalisation – data analytics, risk infrastructure, artificial intelligence, robotics.
  • Culture/People – one of the biggest risks from a strategic standpoint.
  • ESG/Diversity – increasingly important issues with more activist investors.

• Have you audited culture?

• We are operating in a world of increased inherent risk. People under stress make mistakes.

• To be a good internal auditor you need to understand:

  • Your organisation and organisational dynamics
  • Your stakeholders
  • Inherent risks specific to your organisation – each organisation has its own capabilities and risk appetite.

• Understanding these key criteria enable internal audit to develop its plan.

• Looking at our short-term environment and longer-term challenges, there will be winners and losers – not just organisations but departments – including internal audit.

• The difference can come down to leadership. It is a key attribute at all levels.

• During these times of organisational stress, internal audit should be invaluable.

• Leadership within internal audit requires credibility, relationships, understanding of the organisation and regulators plus empathy for the organisation and its workforce.

• Not only does your internal audit department need you but your organisation needs you to help it manage through the risks it is facing.

• Internal audit should be taken seriously, with top quality, credible people, appropriately positioned, mandated (charter) and with a seat at the table.

• Speaking as an audit committee chair, what we need from our chief audit executive is:

1. Trust: We need an open, honest relationship comprising the sharing of opinions about capabilities, gaps and risks - both current and emerging.

2. Confidence: We need you to use the ‘guiderails’ that the audit committee provide; your remit is broad and we know where to focus and the key areas of attention.

3. Pace: To tell us if, as an organisation, we are going too fast/slow relative to our risk appetite.

4. Talent: Aside from capability, we expect leadership and to build leaders for the future.

5. Acumen: We expect you to know the changing context in which we operate and its impact on risks.

6. Collaboration: Develop ‘axis of control’ across assurance providers and control structures.

7. Balance and influence: Choosing what’s important and the words that matter.

8. Insight: Straightforward reporting has little relevance anymore. We need to know about inherent, controlled and emerging risk. Use of analytics is a vital prerequisite to being an internal audit department of tomorrow, not yesterday or today.

9. Innovation: Our organisations are in flux, and we need CAEs to lead by example. You cannot go around criticising others if you are not evolving and developing yourself.

10. Foresight: Personally, I would like my CAE to be a futurist

And remember: you have to enjoy what you do – otherwise you won’t do it well

There were no presentation slides from today's forum.

President/CEO of the IIA comments

Assurance is an age-old concept, possibly from some personal research, as old as 6000 years.

Of all our internal audit stakeholders, assurance matters most to the audit committee and it’s good to hear an audit committee chair articulate it.

We have a lot of work to do as a profession to better project who we are and what we are capable of.

We need to be telling our own story of the value we bring.

Institute's comments

John’s words give us much to reflection on and to take stock of. And to ask the question of whether we are where we need to be.

Absolutely - the relationship between the CAE and audit committee is important. The relationship is a real partnership, it is essential that the CAE has the visible support of the AC.

There has been much talk of assurance mapping and indeed it has been around a long time.

It provides an invaluable picture for the audit committee about the organisation: the key risks, who is providing assurance and, most importantly, can it be relied on.

Internal audit does not use this tool enough.


Chair's closing comments

Thank you, John, for giving us challenges with regards to pace of change, skills and other attributes. Many of us have a lot to reflect on based on where we are today and where we need to be in future.

Our next meeting is on the topic of cyber and we will have a subject matter expert joining us.

A quick reminder that our Data Analytics Working Group is progressing at pace. We now have an MS Teams networking facility for sharing information and planning future events. It is a powerful collaborative working group with cross sector mentoring and coaching already happening.

  

If you haven’t already, we encourage you to enter our 2021 Audit & Risk Awards. There are five categories to choose from and deadlines for nominations close on Friday 26 February 2021. For more details, click here

Please contact me if you are interested in sharing your experiences on a particular topic with this forum. There is real benefit in sharing as collaboration helps us all to develop and improve.   

Forums for your information

HIA Forum

Monthly – Zoom

Presentations and interactive Q&A

Institute invitation only, contact

Liz.sandwith@iia.org.uk

Derek.jamieson@iia.org.uk

Local Authority Forum

Monthly – MS Teams

Presentations and interactive Q&A

Institute invitation only, contact

Liz.sandwith@iia.org.uk

IA Change Forum

(agile working)

Ad-hoc self-help group sharing practical insights and ways of working

 

To join these groups contact

Derek.jamieson@iia.org.uk

 

 

Data Analytics Working Group

Ad-hoc self-help group sharing practical insights and ways of working

         

Future meetings

2021

3 March | Cybersecurity and fraud - the Institute will also be publishing its cybersecurity report.

14 April | ESG - including climate change

12 May | Board governance and the role of internal audit

09 June | Inspiring leadership


Chat box comments

Q   There can be diverse expectations between different sectors. What would your advice be?

A   (John) The audit mandate is often different. The charter is therefore important. CAEs should lead, demand even, on its content. Audit committee chairs should do the same. If it is not defined, or sufficiently defined, sit down and change it. It might not happen overnight but make it happen. A CAE will need credibility to make the change.

Q   CAEs have a role in identifying issues that may have a financial consequence. The audit committee is primarily charged with ensuring the accounts are true and fair. Would you agree?

A   (John) Absolutely. Financial control, accounting control, the whole system of control covers everything from people to numbers. It all comes back to the mandate and risk appetite of the organisation as to where the balance is.

Q   The three lines working together is the only way - what do you all think?

A   (John) Constructive tension is healthy. Internal audit need to go back to the risk appetite of their organisation to interpret facts and apply judgement. Coordination and communication across all control departments is an imperative otherwise it’s difficult to navigate and risks duplicating resources. Assurance maps are key.

A   Yes in principle - but with a healthy tension that will lead to robust and constructive conversations, it can't / shouldn't and won't always be a 'happy place' where they all agree and sometimes we will need to agree to disagree - but this must be based on 100% factual accuracy, opinions can differ factual accuracy shouldn’t.

A   Completely agree we will always have grey areas a happy medium would be lovely.

A   I would say more than work together, work coordinated, specially to keep safe the line that gives you independence and objectivity, but collaborative work between three lines surely will help the organisation at the end

A   Sometimes in large organisations it is a struggle to even identify all of the assurance functions pockets of assurance everywhere...

Q   In order to deliver in line with the expectation that John has set out, is the traditional audit plan and audit report dead? Do we need to be more involved in real time given the pace of transformation in some companies? What does this look like what does the output to the audit committee look like?

A   (John) Transformation often delivers control improvement. Organisations may choose to operate outside their normal risk appetite for a while. Internal audit needs to appreciate this. It’s important to look at the audit plan and for internal audit to be embedded as part of any transformation programme.

A   We are one page reporting. Reporting via dashboards and introducing quarterly/6 monthly plans with a backlog. Shorter, sharper focussed work, but, as always, horses for courses. You need to take the audit committee with you and get them excited about our profession.

A   Perhaps a short audit plan which is reviewed every three months

A   We've just moved to a 6-month rolling plan, with a focus on the key processes/controls that run the business (non-transformation) in your usual risk-based methodology/approach, but we also have a continuous auditing methodology that allows us to engage with key strategic/tactical programmes/projects in real time and provide a 'critical friend' view that provides assurance over key milestones, realization of benefits, proof points. Findings from these reviews need to/can be turned around in 24 - 48 hours to allow course correction where needed. For us, this adds value at the right time, and takes away the PIR which pokes a dead body/issue too late in the process.

A   Thanks. We have introduced the backlog concept this year for traditional core type reports and going to pepper this across our real time auditing of the transformation projects. The skill will be successfully reporting out of the real time projects - one page being the preference of the stakeholders too. It will be interesting to reflect in 12 months.

Q   While plans are approved by the Audit Committee and hence Board, there is often 'conflict' as to who (Independent Members or CEO/Exec Team) have final say. What are your views John please?

John did not have time to answer this question

A   Isn't that determined by AC charter? 

Great point John about automation/data analytics. It really does bring richer insight. It has its challenges but it’s worth the pain and it really helps audit committees.