Heads of Internal Audit Virtual Forum

14 April 2021

Please note:

• All Institute responses are boxed and highlighted blue.
• Where the chair comments in that capacity, this box is highlighted in yellow.
• Comments from the President/CEO of IIA Global are highlighted in heather.
• For confidentiality, the identities of all delegates/attendees are anonymised.

Participants

Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: John Wood - CEO, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA
Speaker: Riaan du Plessis – Head of Audit, Conduct, Compliance and Operational Risk Lloyds Banking Group

Infographic: Chair's personal experience of governance and the internal audit plan

Key takeaways - guest speaker

Delegates were asked which of the responses were closest to their own view of the following statement:

Auditing governance controls is essential to a thorough audit and often brings added insights:

• 65% - I agree with the statement
• 24% - Sometimes it does and sometimes it doesn’t
• 10% - Key but no insight – almost always assessed as ‘effective’

When you read the statement and are not in total agreement, it is all too easy not to see the value that can be achieved from governance assurance. My career has taken me from a response aligned to the 10%, where I couldn’t always see the value in the governance controls to where I am today as one of the 65% agreeing with the statement.

I see three key opportunities from being close to the governance in our organisations.

1. Overrides

• Governance is often a pyramid structure.
• With a senior executive at the top layering down to activities, processes and individuals.
• There are controls within all of the layers.
• Within a governance framework, it is important to consider where controls can be overridden.
• Whenever internal audit looks at controls we need to think about where the opportunity is to override them – as shown by my example, up to board level.

2. Culture

• "Company culture is the worst behaviour you are willing to tolerate"
• Assurance and consultancy activity requires internal audit to attend meetings.
• Auditing governance gives internal audit a ring side seat to culture – to observe it.
• What is happening at governance meetings tells us who is doing all the talking. What is the basis of decision-making? How much time is spent talking about risk,? What is a tick-box exercise? Why is a particular topic debated?

3. Insight

• Senior stakeholders want internal audit to connect the dots for them, to tell them what they don't know.
• Using the first two opportunities enables internal audit to do this in a governance context.
• Internal audit can add value through sharing insights, particularly across silos or divisions.
• Demonstrating internal audit credibility with its finger on the pulse.

Internal auditors may see their independence as a barrier to auditing governance.

Governance is firming in the remit of internal audit from the perspective of challenging the framework, the controls and providing insights to add value – there is no compromise to independence.

Future meetings

12 May | ESG - including climate change

09 June | Inspiring leadership

Chat box comments and Q&A

Q   Do you think that, as organisations get bigger, there is more risk of controls and governance getting blurred / duplication? For example. as processes get added upon, layers upon layers.
A   Yes - it can happen. Often the response to any risk/control issue is to introduce a control, often a layering of controls on top of existing controls. The cost pressures that organisations are facing will probably address this by forcing all parties to look at the efficiency and effectiveness to reduce layering. Internal audit has a role to play in ensuring that this is not at the detriment of proper control and solid governance. Although I have also seen the contrary, where controls and proper governance gets diluted when organisations grow.  For me it depends on the culture of the organisation, this usually dictates how organisations respond to growth in terms of risk and control.

Q   Any tips on reporting on governance findings, which can be more subjective and are more complex than reporting on straightforward non compliances?
A   It might be useful to include cultural observations within audit reports: the way things are done, the behaviours observed. It might also be informal, verbal feedback. There is a place for both hard-coded formal routes and softer options.

• Multiple layers of governance bodies with repetition of attendees and recycling of packs can also be common. Not best use of resources.

• Chair of the audit committee - what best practice criteria should be considered for appointing the person to take up this role?

• Has anyone tried using data analytics in this space? We have and it creates some 'obvious' discussion points: CV summaries (to ensure skills representation), who sits on each forum and how might that affect ability to deliver, D&I, analysis of paper length and time spent, etc.

• I'd be interested to know what proportion of IA functions outsource the audit of governance to manage some of the challenges in delivering the hard governance messages.

Answered after the forum by the speaker

Q What's key for me when auditing governance is assessing how well the governance mechanisms are operating in practice. With reference to Riaan’s point about membership skills but also quality of information (insight driven not purely data) to enable informed decision making. Landing issues is always a challenge, but the key, in my experience, is on focusing on the chairperson to get buy-in to changes that need to be implemented.
A   One approach that worked for me, was in thinking about governance as a pervasive “control” that ensures (1) the “right/appropriate” management consider (2) key risk aspects underpinned by quality data at the (3) right time and make (4) decisions about these.  So if there are concerns in governance, approach as a “normal” control failure and link it to one of those four aspects.

Q I like the quote about company culture. Is that the way it should be in practice?
A   In my experience it does.

Q In my experience, governance papers are lengthy. Could risk teams play a bigger role in streamlining papers making them more focused?
A I think there is definitely an opportunity for internal audit to influence.  Two angles to approach: (1) Risk – if management spend too much time on “unimportant” aspects, they might not spend enough time on the most important aspects.  (2) Efficiency – opportunity to streamline meeting time, use of analytics to analyse time needed to read papers.

Q How would you set up a 'governance' audit? I find that usually it’s picked up in a standard audit. For example, has the supplier been approved at the steering committee? Is the delegated authority up to date and approved, and so on ...?
A I think there are a couple of options on how to audit governance.  (1) Audit as a key “approval/pervasive” control as part of BAU audits.  Most important here for me is who makes the decision and is it based on quality information. (2) Another option is to select a sample of key/most critical risk management committees and auditing their effectiveness as a standalone audit. (3) A third option is to audit a “theme”, such as business resilience or 3^rd parties, that would need to assess how the business’ exec management team provides adequate oversight over this theme. 

Q Do audit teams represented here get copies of their Board effectiveness reviews / self-assessments?
A This is obviously very sensitive information but we can get these for business monitoring or audit preparation as needed.

Chat comment: I'm afraid in the past, I haven't had these to be honest I wonder if they were formally completed and recorded.