Heads of Internal Audit Virtual Forum

13 May 2020

Please note:

• All Institute responses are boxed and highlighted blue.
• Where the interim CEO comments in that capacity the box is highlighted yellow.
• Where the Institute President comments in that capacity the box is highlighted heather.
• All delegate/attendee comments/statements/replies are un-highlighted and un-boxed.
• For confidentiality, the identities of all delegates/attendees are anonymised.

Chat box comments

Q1. Start-up mindset - encourage agility and accountability: daily team check-ins, weekly 30-minute HIA reviews, and twice-a-month 60-minute reviews with audit committee chairs.

80/20 rule is very important. Being directionally correct versus being absolutely right, as well as realisation that quality is not a roadblock - all very important.

What challenges and solutions are you facing for managing the absence of physical/infrastructure site visits?

• We decided if a site visit is required but not possible, we will still proceed but will document it as scope limitation.
• I agree I have done a remote audit this week. I am preparing the report on the basis of flagging what was not possible due to not being physically present on-site.
• We’ve been noting in our reporting, exceptions where we haven't been able to get the assurance we usually would, though thankfully this has not been too much so far.

Q2. Human at the core – internal audit will need to rethink their operating model based on how their people work best e.g. working remotely.

The co-source arrangement is an interesting area.

We've been doing weekly wellbeing surveys with 5-6 questions to check if people are doing okay.

• I think it is important to include our auditees in this as well. Being flexible and understanding about availability restrictions has been central to our internal audit approach during COVID-19. 

Q3. Acceleration of digital, tech, and analytics - the COVID-19 crisis has accelerated the shift to digital. But can we go further by enhancing and expanding our digital channels e.g. successfully using advanced analytics to combine new sources of data, such as satellite imaging, with our own insights to make better and faster decisions and strengthen their links to stakeholders. 

Didn't PwC use drones to count sheep for some EU grant auditing last year?

We used drones to assess raw materials stocks - greatest challenge post-COVID-19 is not to return to the usual ways of working due to sheer inertia.

We might not be using drones or satellite images, but we are already liaising with ICT to identify opportunities for combining data sources and using data more intelligently.

Q4. Purpose-driven customer playbook – internal auditors need to understand what stakeholders/customer will value, post-COVID-19, and develop and tailor approach/delivery based on those insights. 

I'm doing lots of sprints for my clients as opposed to full internal audit reviews - so the focus is on design of controls only during this difficult time in existing and new areas of the internal audit plan.

I think real time advice is critically important at the present time. Good work!

Auditing at the speed of risk is one of the best and most relevant books you could read.

Re-assessing office and real estate strategy will be something internal audit can help with and management need to do anyway.

What elements of pre-March practices should we keep and what should we ditch?

• We shouldn't automatically throw everything out, I guess.
• I agree, we mustn't throw everything out, but we need to keep what we have learnt in this new world and also take what worked previously.
• It is also important to educate audit committees, that we can leverage the lessons learned and the new COVID-19 changes.

Q5. Ecosystems and adaptability - crisis related disruptions in supply chains and channels, mean adaptability is essential, how can internal audit support their organisations through auditing supply chains? Recognising that non-traditional collaborations with partners up and down the supply chain might be the way forward.

For local authorities supply chain is a challenge as the government has asked us to support the supply chain via supplier relief, with limited guidance on what this should be.

We are spending a lot of time in this area. For example:

• financial strength of the outsource service provider
• operational resilience of the outsource service provider
• ongoing relationship management.

With unavoidable supplier rotation due to some of them going out of business, it is a good opportunity to accelerate ethical procurement and supply-side CSR.

Identification and management of the most critical suppliers is key for me and working with them to reduce the risks to both parties in these tough times.

• Excellent point about how some suppliers are more key now than before...very fair observation.
• Agree - a big part of what we've been helping with on suppliers is getting people to reassess which suppliers are critical in the current environment as it's not necessarily the same as those assessed as critical prior to the crisis. Regular conversations between our procurement team and suppliers as well to ensure early flagging of any potential supplier failures.
• Agree with the above comment.

During lockdown we set up a ‘pay it forward’ fund where suppliers could apply for advance payments which we offset against future work - this has/should really help with relationships.

We've also challenged our teams to look beyond their direct supply chain (4th suppliers etc) to really stress test supply and then work through downstream consequences.

Supplier resilience is even more critical in the current environment in maintaining good customer outcomes, as we are only as strong as our weakest supplier. Given third party site visits/exercising right to audits etc are not possible currently, what are other audit functions doing to gain assurance?

Participant verbal question

Has anyone done any remote analysis of relevant IT audit logs to see what % of employees working from home haven't actually logged on to relevant IT for working days? Random as I say...perhaps I'm being inhuman to the core...

• I think historically this may have been more of an issue. Our analysis at the moment shows very high compliance, however this is something that may change.
• We have some suspicions about some of our colleagues!
• I haven't done any audit work, but I did get an email from our IT team saying that I haven't switched my laptop off for 18 days; and was reminded of the need to switch it off each night so that the various updates etc can take place.
• Makes sense. I can believe it...I have some concerns too where I work....
• Yes - we usually look at it the other way to identify if there is any 'random' access over working/ potential fraud indicators etc. We're now trying to use it to confirm those on furlough are not accessing our key systems etc. Our IT team is also looking at it to manage overall capacity with potential for so many people to be working from home.
• Haven't analysed IT logs but use of both MS Outlook and Teams enables managers to see who is online and when.
• Perhaps typical to have a softer approach, but we've been intentionally not performing that kind of check. We have more of a focus on ensuring managers are not pushing people too hard and addressing concerns that some managers are great at supporting everyone and sharing the message that we do not expect people to be able to do their normal workload, but others are expecting BAU to the detriment of those with caring responsibilities.
• Interesting point, we review internet access to see if there is any inappropriate access during working hours.
• It is concerning if people are not working hours, or that the job is not done?
• I haven’t been so concerned about whether people are working, but more so if they are doing things, they shouldn’t be with remote access especially around data.
• The only indicator of their performance should be work done.
• We have deliberately avoided this at the moment; however, we may include this type of analysis as remote working is extended.

The organisation is also doing a lot of extra COVID-19 work so we are in a position where many people are exceptionally busy, whilst we have a number of people who can't work from home given the nature of their roles. The organisation has taken a decision not to furlough any employees.

Attendee comments, questions, and actions

During the current crisis, businesses have worked faster and better than they dreamed possible a few months ago. Maintaining that sense of possibility will be an enduring source of competitive advantage.

This week we will explore the role of internal audit in ‘SHAPE’, a term created by McKinsey but we have adapted it to think about the future of both the profession and how internal audit remains relevant and delivers added value to their organisations.

Q1. Start-up mindset - encourage agility and accountability: daily team check-ins, weekly 30-minute HIA reviews, and twice-a-month 60-minute reviews with audit committee chairs.

Guest panellist 1

To put it into context, I have a small internal audit team of five who all work in the same location. Previous to this crisis we had no experience whatsoever of working remotely as a team, apart from the odd working from home day. In terms of working harder and faster, absolutely, I think in my experience internal audit has been up there with the rest of the business and honestly if you were to ask me, through the crisis, I never thought that we would have achieved 50% of what we have done since this crisis started. Not only are we delivering the assurance plan, albeit moving things about, we are required to accommodate the business, and provide advisory work which is where the real value add is.

From the very beginning, from that start up perspective, like a lot of other organisations and teams the whole Microsoft Teams, as a tool, has worked very well for us, both for me in terms of managing the team virtually and also delivering the audits and engaging with management across the business.

The daily check-in process with the team started off very much in terms of asking how people were themselves, how they were settling in to working from home, their general well-being and now there has been a shift, I would say, with 80% more focused on delivery of our work programme and 20% focused on the individual and their well-being and how they are in themselves and dealing with the whole ‘new normal’ we are working in. Also, what has worked quite well for us as a team is to ensure that team cohesion when we’re not together in a group, or in an office anymore, we are having weekly informal MS Team coffee chats, the one rule is that we do not talk about work or try not to talk about work. It could be about whatever DIY disaster there was at the weekend or what we’re watching on TV etc.

But thinking forward as well as we move into the ‘new normal’ I can see this remote working is going to be part of the ‘next normal’ with the team. For me I am starting to think about how we ensure that we do not lose that valuable face-to-face contact. I think I need to start defining for us as an internal audit team what bits are ideally going to be a must face-to-face contact, both with the team and with auditees as we do audit programme work, as well so that we do not lose the value of face-to-face contact.

From an agility perspective as well, I have been finding that we are having natural conversations about how we focus in on what really matters and leading that in through the scope of our audit and focusing the testing that we are carrying out. I am quite lucky that I have remit from our audit committee, to flex the audit plan to bring in emerging priorities as I see appropriate as things are moving quite quickly, it is really important and it is working well so far. I think the plan will be that I will go back to the audit committee later in the year, probably about September time. I will say this is where we are, and if we need to de-prioritise any of the original audits we had in the plan that no longer seem as important and have changed, I think we will get approval for that. We are still able to provide more real time assurance as things are happening and evolving.

Guest panellist 2

We’ve discovered that agility really is the key to this and as an example, we have 11,000 branches, pretty much as franchises, they are run by other people in other people’s premises. Whilst we are encouraging them to remain open as part of our front line service and be available for the public, obviously they can decide whether they are going to open the doors or not which has been a bit of an interesting challenge. Although most of the time, over 900 branches are open on a daily basis, so I think we are doing quite well on that basis.

The agility part is really key for us. Normally, I say normally, pre March 2020 we had three call centres that manage all a variety of things for us, a point of contact for our branches, contact for branch managers our various customers etc. and within the first week all three of those call centres were working remotely. That’s from working on a fully desktop, sat at a desk with a desk phone headset on to everybody having a laptop and everybody being able to work remotely was done within a week. I think the emergency plan team had a weeks’ notice prior that it was going to happen. But nonetheless, I am one of our biggest critics of our IT partners and they have just been amazing, getting that many people out, that’s probably about 300 people, set up, working from home, and running a call centre that is seamless to the people that need help has been really quite a big achievement.

Q2. Human at the core – internal audit will need to rethink their operating model based on how their people work best e.g. working remotely. 

Guest panellist 2

Eight weeks in, routines are pretty well established. Like Guest panellist 1 we are using MS Teams very effectively. Everybody has learnt a whole lot of stuff really quickly and that works quite nicely. We’ve even got, just to keep it a bit human, a little competition going as to who can get the best background picture. Uploaded as that can be a bit of a challenge and then changed on a daily basis just to keep it going. Joking apart it works really well with the key stakeholders too, it just gives a little bit of light heartedness in amongst all the serious stuff that is going on. We have regular check-ins with key stakeholders. It is dead easy to get bogged down in just sending emails and waiting for someone to come back to you, but actually it is really important that you get the opportunity to catch up with people. The other part, I guess for that, is we have a team of five as guest panellist 1 does and the daily calls that we have gives us the chance to do the check-in. Head of internal audit progress check etc. an opportunity for peer support. For the two single people in the team it gives them a social opportunity, one of them lives on their own in a flat so they have no garden or anything, the other is a single parent some of this stuff is pretty much the only adult conversation they get so the whole business is working on that basis. There is really good support from HR as well and lots of remote resources we can do to access that.

Guest panellist 1

Certainly, from our perspective it has been very much people focused from the outset. Just the other day actually HR released a survey to get the pulse of everybody. How their wellbeing was with working remotely. They started off asking people how they were feeling about the potential for going back to the office, as they are starting to think about planning some type of return, social distancing with shift type arrangements and to see how people are thinking about that.

Q3. Acceleration of digital, tech, and analytics - the COVID-19 crisis has accelerated the shift to digital. But can we go further by enhancing and expanding our digital channels e.g. successfully using advanced analytics to combine new sources of data, such as satellite imaging, with our own insights to make better and faster decisions and strengthen their links to stakeholders. 

Guest panellist 2

It has made a big difference as to what goes on in our business. We’ve never had the best invested most up-to-date IT systems anyway just because we are Government owned effectively, and we haven’t had a lot of spare cash to spend on that sort of stuff so if it works, we keep it going.

Having devolved all those people, pretty much 3,500 people that would normally work on the systems, some mostly in the offices, everyone is now working from home apart from a few key teams that are socially distanced within offices. The VPN is better than the network, it’s the most stable it has ever been and they can turnaround IT supply requests in no time at all. I got a screen the day after it was approved. This is unheard of, we would never have this in normal circumstances, so this sort of stuff has really moved on. The other side to this is the digital piece around working papers and things like that. If you started in the early 1980’s like I did, you’d have been brought up on files and paper, etc. and I’ve traditionally struggled to wean myself completely off that, but in the last eight weeks we have had to. Everything is digital because you’ve got nowhere to file paper. You’re working from home you don’t want your living room overtaken with paperwork, so everybody has benefitted from having to use digital with the resources we have.

From a data perspective, we had a project ongoing anyway to improve the access for data. The good news with this, if there is some good news in this crisis, is that this is massively accelerating and there is a proper company-wide focus on this now. So, this is probably the first chance we have got in the recent past of getting a decent data solution, but that is very much work-in-progress for us.

Q4. Purpose-driven customer playbook – internal auditors need to understand what stakeholders/customer will value, post-COVID-19, and develop and tailor approach/delivery based on those insights. 

Guest panellist 2

Remaining close to stakeholders is really important. We have concentrated on assurance, a little bit of advisory, obviously with a small team that is tricky as you have to put in safeguards for post-crisis audit work to make sure you’re not checking your own homework etc.. We have a good relationship with our co-source team. We are under pressure not to spend any money with them, we can use them if needed to create borders and put some Chinese walls up. But pretty much the key thing that we are doing at the moment is providing assurance to the business over changes, fixes have been put in, controls have been flexed and provide fair challenge because what we mustn’t forget is that no one has actually done this before for this length of time. Everyone has done a bit of BCP (Business Continuity Planning) but this has come at a whole different level. 

Guest panellist 1

Post COVID-19, what do we think our stakeholders and customers are going to value. It’s probably a bit hard to predict specifically at the moment as things evolve and change. But, in my view, certainly the advisory support is going to be more valued by the business. As a team we have also delivered advisory support, but through this crisis the advisory support we have been able to deliver to the business has been very real time as they have developed their response plans and continuity plans  – I think it has been really valued by the business and we have had really good feedback from senior management on that. Also we have been invited quite a lot into giving a view on the changes to processes as a result of the situation. For example, how we are paying suppliers etc. Post COVID-19, I can see more requests for that advisory element that I think is a good thing and I have no issue with that.

In terms of independence, I don’t see it as an issue and never have, for me independence is a state of mind and always will be. Also, the whole emerging risk piece has been an area that there has been a lot of talk about obviously. Where internal audit will have to be more, on the front foot, if you like, I think in delivering more real time assurance over those emerging risks. It raises a question in my head as to how we begin to interact more with the risk management function and are able to challenge how management is setting the probability on those high impact risks. Perhaps this is going to force more liaison between internal audit and risk and some blurring of the lines there. I don’t quite see in my head yet as to how it is going to pan out and time will tell I suppose. It’s one that I know is on my ‘to do’ list as well, there’s a book about it, Richard Chambers book on Auditing at the Speed of Risk, so I definitely think I am going to have to read that book.

Guest panellist 2

It is similar to Guest Panellist 1. The advisory bit is really valued at the moment. We were quite lucky in as much as we were planning a piece of work on our Change function anyway that was looking at how the business adapted to crises. Having the team working very closely with the project team that are leading the business on this has been really helpful, so we have been able to put stuff in real time. What we have done with the more regular work is that we have prioritised controls across the business at the moment that may have been affected and impacted on change through this crisis. Traditionally we have been reporting at the end of the piece of work and then it goes through an arduous clearance process normally. What we have done now is that we have a single page interim report that we are using, that the Chief Executive has very kindly championed. All the usual speedbumps that we have come across have flattened pretty quickly, which is handy. We have done three of these already in the last three weeks and they have gone down very well. That is something that we will be keeping, regardless of how we move along and how quickly. That is where we are with it at the moment, we are just making sure that we are keeping on top of everything as they arise. This speed of reporting which will have the added bonus that when we get to the arduous reporting process, everyone has agreed everything at the interims anyway. We think this will be a positive for us.

Guest panellist 2

I suspect that the logging bit goes on, I can’t answer that as I don’t know, within HR, but it is very much people focused. As I said in the introduction, the key thing is we are running the business on a franchise basis pretty much, apart from a couple of hundred directly managed branches. It is key that those people are looked after, and they feel comfortable coming to work. Because it’s franchised then the business took a decision to, from April, provide the franchisees with all their remuneration guaranteed, obviously with business downturn massively, their remuneration was guaranteed for April while we worked out what was going on. I think they are receiving 80% for May and then June is still under discussion, so they are very much, people at the core.

Participant invited to raise a question

General question really, obviously with so many people working from home, one of the thoughts that I have been having is, are people actually working from home? I think many people are, many people are doing far more than they should and I do appreciate that, but there is plenty of opportunity we know for external fraud and there is plenty of opportunity for internal fraud and I just wondered, as the question I popped up in the chat box, asked whether anyone has been reviewing or contemplating reviewing logs just to see if people are doing what they are supposed to be doing. 

Guest panellist 1

I am not aware that we have been doing any sort of tracking. Certainly in my own team I have had to be very conscious to provide the flexibility as everybody is dealing with other challenges (myself included) such as children, childcare and home schooling alongside delivering my day job. In my experience, most people are doing the work, maybe not set hours during the day, and having to pick up in the evening, which is not ideal, but that is where we are.

Q5. Ecosystems and adaptability - crisis related disruptions in supply chains and channels, mean adaptability is essential, how can internal audit support their organisations through auditing supply chains? Recognising that non-traditional collaborations with partners up and down the supply chain might be the way forward.

 
Participant invited to raise a question

We are being directed by the Government at the moment that what we have to do is secure our supply chains to support the delivery of critical services to citizens across our City. What we are being directed to do by the Government is provide supplier relief, so that is really interesting because they have made some amendments to the Government procurement guidelines but they haven’t actually told us what the shape of what supplier relief should look like. Some of the questions that we have been asking when procurement have been engaging with us is, what do you need to do. What is that going to look like. We have been saying to them is it cashflow relief, where you are maybe going to continue to pay them full price when they cannot deliver full service in the short term. Is it perhaps advance payments that will be repaid and offset against future supplier services. Is it a cash costed council where you are essentially giving them grants that won’t be paid and it is a sum cost to the council essentially to secure the supply chain?

We have been working really hard with our procurement service to try and shape what that might look like and develop a risk based approach. Procurement say to the supplier, how critical is it for you at the moment, are you furloughing people, what is it looking like and they also they need to think about the priority of those suppliers. Some suppliers, if they were way down the supply chain in terms of criticality and priority before and are now moving up to the top, PPE being the critical ones. They wouldn’t of been assessed as a critical supplier before, where we may have had some critical suppliers supporting the Council capital projects. Those are now on hold and further down the supply chain. There has been a lot of engagement between our internal audit team and procurement team to work through and see what that looks like. What we are trying to do is provide assurance on the design of these processes at the moment and try and get that audit check that they are fit for purpose. Which includes a proportionate amount of control and look at the risk appetite. The risk appetite is really that we have to get a lot of these processes in quickly because suppliers are asking for help right now, Government are expecting us to have it in place by tomorrow.

Participant invited to raise a question

One of the points niggling me in terms of auditing at the speed of risk is  that outsourcing and supply chains are very closely aligning with the risk management department in terms of what I mentioned (financial strength of the outsource service provider, operational resilience of the outsource service provider and ongoing relationship management), and in terms of stressing the chain as much as you can. Looking at the sub-outsourcing, although we fall under the European Banking Authority guidelines that were published last year. We are reviewing these in terms of that we have to have an up-to-date outsourcing register which is something that we are being very proactive about in terms of making sure that it is right up-to-date in terms of risks and what has changed to the risks.

In relation to management, it is very important to our outstanding and sub-outsourcing and working in a different environment, having a different maybe costing model structure, how that is affecting us now. How that can affect us going forward and incorporating that into our budgets, our operational risk registers and seeing what is down the line. Also looking at the human element of it as well in terms of changes in the strategy, what we may have to change in terms of outsourcing providers for us that we have no control over. It is a key area that we have been bringing to the audit committee in terms of a very fluid up-to-date outsourcing register what’s changed, what’s moved in terms of the risk ratings and what we are doing about it. What we can do about it and what we are planning to do about it.