Heads of Internal Audit Virtual Forum

16 March 2022

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Participants

Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA

Chair's opening comments

Our last session focussed on leadership and the challenges facing internal audit in what is clearly now an exceptionally volatile and uncertain world.  

Today, we welcome Stephen White, Interim CEO for Yorkshire Building Society. He is a senior leader with considerable experience, having previously held COO roles in AIB and NHS Direct in addition to being EGM at National Australia Bank. 

Stephen is going to talk to us today about the evolving role and positioning of internal audit within Yorkshire Building Society and his developing expectations of the function and indeed the profession in the future.

Given the deteriorating situation in Ukraine and the serious challenges this is creating around the world, I also asked Stephen to touch on some of the challenges that are emerging in his part of the FS sector and the extent to which internal audit may be able to provide assurance in the coming weeks and months.   


Key takeaways

Perceptions from Stephen White on the evolving role and positioning of internal audit:

  • My expectations for the future are that the role of internal audit has to continue to change and evolve.
  • There are certain internal audit skills that you need within the organisation that will always be required.
  • There are certain skills that almost appear to change by the day, eg cyber security.
  • Internal audit needs to be adaptive and agile in working with other partners to access required skills both internally and externally.
  • Deployment of the Three Lines of Defence model has been effective, particularly in ensuring that we meet the regulatory requirements of the PRA and the FCA.
  • No overlap between the second and third lines is important to provide a complementary approach.
  • Professional development through secondments i.e. 3rd line into 1st or 2nd line and vice versa, notwithstanding the 3rd line needs to remain independent. There continues to be an obsession regarding the ‘colour’ of the audit reports.
  • What is important is that the content is appropriate, relevant and achievable, and that the timelines are realistic.
  • The final point to cover is culture. There is one culture for all teams at Yorkshire Building Society, ‘Real Help with Real Life’ underpinned by four strategic priorities.
  • All employees will work towards the strategic direction and exhibit the corporate behaviours.
  • This applies to all three lines. They all should be aligned to the same strategic imperative.
  • The situation in Ukraine is likely to increase the importance of the role of internal audit. As a result of sanctions, financial crime controls, and the potential for increased cyber attacks.
  • Increased regulatory requirements are anticipated.
  • A recent ‘Dear CEO’ letter from the FCA concerning data quality regarding ‘red reports’.
  • For those in the banking sector, this is likely to be an area of increased regulatory focus, eg increase s166 notices. This may not be the result of an adverse event, but because the FCA would like more assurance around risks and controls.

Institute's comments

Internal audit has a key role to play in organisations. It is important to work with organisations, support organisations and help organisations be safe, resilient and efficient in what they do. It would be opportune for internal audit to pause and consider actions that it might agree with the business and whether those are efficient and effective in terms of enhancing internal control and enhancing risk management.

We, as internal audit, have a responsibility to deliver in the organisation. However, the Chief Executive Officer also has a role in supporting and encouraging internal audit across the organisation.


Chair's closing comments

Our next session is currently scheduled to focus on our recently published thought leadership report Creating a Healthy Culture – Why internal audit and Boards must take culture more seriously in a post-Covid world. There were a number of key findings in this paper that are relevant to both internal audit functions and at board level.

Given their significance, we are keen to discuss both the findings and our recommendations with this group. As usual, notes, chat comments will be placed on our web pages in the next couple of days.

We have a number of events scheduled for the coming months, including our Leaders Summit and our Internal Audit Conference. Please visit our Events page for further details.


Chat box comments and discussion

Q: You mentioned about your CAE sitting on your ExCo. Is there a chance that they could become so ingrained in the business that they lose their independence? How do you help the CAE manage this?

A: In YBS, the CAE does not sit on the main board, so there is an element of independence there. There is a role for the CAE and also the Chief Executive to ensure that independence is not used inappropriately. There is the expectation that they will live their behaviours, so they are free to step out, challenge and offer perspective as required. It is down to individuals to create the right culture – there needs to be the right level of influence balanced with not losing independence.

Q: No-one likes to see a red report but sometimes this allows things to be fixed quicker. Conversely, sometimes the business might want a red report if they seek access to more funding for example.

A: It is really about the actions coming out of the report, not the rating, that is important.

Q: What role can internal audit play in culture, particularly around providing assurance?

A: Leaders cast long shadows and it is important that leaders emulate the culture they wish to see. People watch leaders as to what they do rather than what they say. With many starting to return to the office, and people mixing more, I’d encourage internal audit to mix with different teams in different locations to understand more.

Q: You used the word agile earlier on and it’s a term that we’ve all become more familiar with. In terms of planning, do you still have an annual internal audit plan, or do you operate something more agile?  

A: Under the regulations, we have to take an annual plan to the audit committee for approval and they assess against this. The creation of the plan should take place with the business and what is the data which supports inclusion in the plan. This helps buy-in to the plan. The plan may change if something major were to arise.

Comment

We were subject to a s.166 request from the FCA recently. It was to allow the FCA to get some comfort over activities within the business. We’ve viewed it as a positive in the organisation and the assurance gained from this has supported part of the plan. Given the direction of travel of the FCA, it’s likely we’ll see more of this.