Heads of Internal Audit Virtual Forum

14 April 2021

Please note:

  • All Institute responses are boxed and highlighted blue.
  • Where the chair comments in that capacity, this box is highlighted in yellow.
  • Comments from the President/CEO of IIA Global are highlighted in heather.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

Participants

Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: John Wood - CEO, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA
Speaker: Riaan du Plessis – Head of Audit, Conduct, Compliance and Operational Risk Lloyds Banking Group


Chair's opening comments

Today’s area of focus is governance and the importance of its inclusion within the audit plan.

This is very much a topical subject - in the context of the ever-increasing focus on governance, the ever-increasing list of corporate scandals and recent discussions on UK SOX, and the recently published BEIS White Paper: Restoring Trust in Audit and Corporate Governance.

The white paper has the potential to drive really significant change in our internal audit landscape. Internal audit has not always been this prominent, so I am going to reflect on how governance has evolved in the audit plan during my career before we hear from our speaker Riaan du Plessis – Head of Audit, Conduct, Compliance and Operational Risk Lloyds Banking Group.

The infographic below gives a brief snapshot of my personal experience of governance and the internal audit plan


Infographic: Chair's personal experience of governance and the internal audit plan


Key takeaways - guest speaker

Delegates were asked which of the responses were closest to their own view of the following statement:

Auditing governance controls is essential to a thorough audit and often brings added insights:

  • 65% - I agree with the statement
  • 24% - Sometimes it does and sometimes it doesn’t
  • 10% - Key but no insight – almost always assessed as ‘effective’

When you read the statement and are not in total agreement, it is all too easy not to see the value that can be achieved from governance assurance. My career has taken me from a response aligned to the 10%, where I couldn’t always see the value in the governance controls to where I am today as one of the 65% agreeing with the statement.

I see three key opportunities from being close to the governance in our organisations.

  1. Overrides
  • Governance is often a pyramid structure.
  • With a senior executive at the top layering down to activities, processes and individuals.
  • There are controls within all of the layers.
  • Within a governance framework, it is important to consider where controls can be overridden.
  • Whenever internal audit looks at controls we need to think about where the opportunity is to override them – as shown by my example, up to board level.
  1. Culture
  • "Company culture is the worst behaviour you are willing to tolerate"
  • Assurance and consultancy activity requires internal audit to attend meetings.
  • Auditing governance gives internal audit a ring side seat to culture – to observe it.
  • What is happening at governance meetings tells us who is doing all the talking. What is the basis of decision-making? How much time is spent talking about risk,? What is a tick-box exercise? Why is a particular topic debated?
  1. Insight
  • Senior stakeholders want internal audit to connect the dots for them, to tell them what they don't know.
  • Using the first two opportunities enables internal audit to do this in a governance context.
  • Internal audit can add value through sharing insights, particularly across silos or divisions.
  • Demonstrating internal audit credibility with its finger on the pulse.

Internal auditors may see their independence as a barrier to auditing governance.

Governance is firming in the remit of internal audit from the perspective of challenging the framework, the controls and providing insights to add value – there is no compromise to independence.


Institute's comments

Governance is a key part of the definition of our profession.

We often think of it holistically, across the organisation yet we also need to drill down deeper, looking at the governance around strategic initiatives and major projects. Sometimes they fail because of governance: either not in place or falling by the wayside.

The insights internal audit provide should provoke positive change and innovation.

Governance is a sensitive topic. Chief audit executive’s need the engagement and respect of the audit committee. They need to be supportive when we add governance to the audit plan. CAE's need to be brave. Sometimes when an audit is proposed and the response is 'now is not the time' is exactly the right time to do a governance audit.

Internal audit can prevent changes to the governance process and the information/messages that are communicated through the various layers of management.

Governance is very much part of internal audit’s agenda.

Standard 2110 Governance

The internal audit activity must assess and make appropriate recommendations to improve the organisation’s governance processes for:

  • Making strategic and operations decisions
  • Overseeing risk management and control
  • Promoting appropriate ethics and values within the organisation
  • Ensuring effective organisational performance management and accountability
  • Communicating risk and control information to appropriate areas of the organisation
  • Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers and management.

Please note: Information regarding Standard 2110 Governance was added after the meeting.


Chair's closing comments

Our next session on ESG will include guest speakers from the leisure and retail sectors.

Using data analytics to audit governance documents will be one of the topics covered in future months by the Data Analytics Working Group.

Please contact me if you are interested in sharing your experiences on a particular topic with this forum. There is real benefit in sharing as collaboration helps us all to develop and improve.       

Click here for information on all of our virtual forums, special interest groups and regional networks.


Future meetings

12 May | ESG - including climate change

09 June | Inspiring leadership


Chat box comments and Q&A

Q   Do you think that, as organisations get bigger, there is more risk of controls and governance getting blurred / duplication? For example. as processes get added upon, layers upon layers.
A   Yes - it can happen. Often the response to any risk/control issue is to introduce a control, often a layering of controls on top of existing controls. The cost pressures that organisations are facing will probably address this by forcing all parties to look at the efficiency and effectiveness to reduce layering. Internal audit has a role to play in ensuring that this is not at the detriment of proper control and solid governance. Although I have also seen the contrary, where controls and proper governance gets diluted when organisations grow.  For me it depends on the culture of the organisation, this usually dictates how organisations respond to growth in terms of risk and control.

Q   Any tips on reporting on governance findings, which can be more subjective and are more complex than reporting on straightforward non compliances?
A   It might be useful to include cultural observations within audit reports: the way things are done, the behaviours observed. It might also be informal, verbal feedback. There is a place for both hard-coded formal routes and softer options.

• Multiple layers of governance bodies with repetition of attendees and recycling of packs can also be common. Not best use of resources.

• Chair of the audit committee - what best practice criteria should be considered for appointing the person to take up this role?

• Has anyone tried using data analytics in this space? We have and it creates some 'obvious' discussion points: CV summaries (to ensure skills representation), who sits on each forum and how might that affect ability to deliver, D&I, analysis of paper length and time spent, etc.

 I'd be interested to know what proportion of IA functions outsource the audit of governance to manage some of the challenges in delivering the hard governance messages.

Answered after the forum by the speaker

Q What's key for me when auditing governance is assessing how well the governance mechanisms are operating in practice. With reference to Riaan’s point about membership skills but also quality of information (insight driven not purely data) to enable informed decision making. Landing issues is always a challenge, but the key, in my experience, is on focusing on the chairperson to get buy-in to changes that need to be implemented.
A   One approach that worked for me, was in thinking about governance as a pervasive “control” that ensures (1) the “right/appropriate” management consider (2) key risk aspects underpinned by quality data at the (3) right time and make (4) decisions about these.  So if there are concerns in governance, approach as a “normal” control failure and link it to one of those four aspects.

Q I like the quote about company culture. Is that the way it should be in practice?
A   In my experience it does.

Q In my experience, governance papers are lengthy. Could risk teams play a bigger role in streamlining papers making them more focused?
A I think there is definitely an opportunity for internal audit to influence.  Two angles to approach: (1) Risk – if management spend too much time on “unimportant” aspects, they might not spend enough time on the most important aspects.  (2) Efficiency – opportunity to streamline meeting time, use of analytics to analyse time needed to read papers.

Q How would you set up a 'governance' audit? I find that usually it’s picked up in a standard audit. For example, has the supplier been approved at the steering committee? Is the delegated authority up to date and approved, and so on ...?
I think there are a couple of options on how to audit governance.  (1) Audit as a key “approval/pervasive” control as part of BAU audits.  Most important here for me is who makes the decision and is it based on quality information. (2) Another option is to select a sample of key/most critical risk management committees and auditing their effectiveness as a standalone audit. (3) A third option is to audit a “theme”, such as business resilience or 3rd parties, that would need to assess how the business’ exec management team provides adequate oversight over this theme. 

Q Do audit teams represented here get copies of their Board effectiveness reviews / self-assessments?
A This is obviously very sensitive information but we can get these for business monitoring or audit preparation as needed.

Chat comment: I'm afraid in the past, I haven't had these to be honest I wonder if they were formally completed and recorded.