Heads of Internal Audit Virtual Forum

18 August 2021

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Participants

Chair and Speaker: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA
Institute: John Wood - CEO, Chartered IIA

CEO's opening comments

The Institute received comments for our response to the BEIS White Paper – Restoring Trust in Audit and Corporate Governance from a number of members via a variety of groups, including from our Technical Guidance Working Group, audit leaders, Council and also individuals.

We are supportive of the broad direction of travel on audit reform that the White Paper sets out. We view its publication as a once in a generation opportunity to restore trust in audit and corporate governance. Along with improved and more effective external/statutory audit and stronger responsibilities for company directors, we believe that there is a compelling case for internal audit to have an enhanced and strengthened role as a cornerstone of good corporate governance.

We now look at some of the opportunities that the white paper offers and actions that CAEs need to take now.

The Institute’s response to the consultation can be found here.

The key opportunities for internal audit to engage with are:

  • Stronger internal company controls
  • Audit and Assurance Policy
  • Corporate auditing
  • Audit regulator powers (ARGA)
  • External audit scope/purpose
  • Separation of regulatory audit/non-audit arms of professional firms
  • Shared audits
  • Public Interest Entity definition

We focus on the first three today.

With dual reporting lines, CAEs also need to consider conversations with their CEO.
Our Institute CEO shares his personal perspective on communicating with a CEO.

  • A busy CEO is likely to be aware of the consultation but not the detail and its implications
  • CAEs need to provide this insight in a time efficient way
  • Get to the point and tell it as it is – bad news included:
    • Does this impact our organisation?
    • What can we do now to mitigate the impact?
    • What will the regulatory burden be?
    • Will external audit costs increase?
  • CEOs need the big picture to strategise and lead effectively. No CEO likes surprises.
  • A CAE who develops their relationship and credibility with the CEO means that they will want to hear what you have to say.
  • Finally, it’s helpful to think of these conversations as an elevator pitch – get your message across quickly, keep it high level and action-orientated.

Here is our top tips slide

 

Our key message today is “talk to your audit committee chair now.”

Which of these conversations have you had with your audit committee chair?

1. Our organisation needs to prepare an Audit and Assurance Policy (AAP). Internal audit has the tools available to support the board and facilitate this.

IIA: Our new guidance AAP: the role of internal audit and How to facilitate  creation of an AAP provides a starting point for CAEs. The 3i Group 2021 Annual Report includes an AAP (see page 99). It gives an idea of possible direction. This requirement could land quickly if introduced as an addendum to the Companies Act 2006
Comment: De facto led by internal audit and owned by the board
Comment: Asked to draft - it’s a little intimidating. Would any CAEs work collaboratively on this?
Comment: The A&A policy also needs to include the role of external audit. So they also need to be included in the facilitated sessions

2. There are proposals to create a corporate auditor role – now would be a good time to review the internal audit charter as this is the role we provide.

IIA: Conversations during the consultation window highlighted that there is mixed understanding among influential stakeholders about the role of internal audit. There is no requirement for a new corporate auditor. There is no recognition of how the proposal sits in relation to the three lines model.
Comment: Concern that BEIS are mixing second-line and third-line assurance. There is a risk that internal audit could become 'an' assurance function not the ‘key’ assurance function.
Comment: It's a confusing position - midway between internal and external audit. This needs clarity.
Comment: The UK has a window of opportunity to avoid this: rally the flag and run up the hill.
Comment: We need to squash this idea. Sometimes turning to co-source partners for skills or ‘difficult’ engagements devalues the role of internal audit.
Comment: If this becomes a requirement, it must report into the CAE.

3. Internal financial controls are going to be strengthened – it would be good to have a conversation about options, internal audit resource and maintaining a balanced risk-based audit plan.

IIA: Look at learnings from US SOX and J SOX. We need to extend this and strengthen all controls not focus solely on financial controls.
Comment: This area is attracting the most attention. There is an expectation that a CAE will lead the programme and deal with potential independence issues further down the line.
Comment: Passionate that the UK does not make the same mistakes as the US. Experience suggests board and management are unclear on controls – driving training and awareness now will enable real ownership going forward.
Comment: If we think about US SOX, a Taylor Swift lyric works well: ‘I’ve seen this film before and I didn’t like the ending.’
Comment: Often debated, which line does this. Is it 1.5 rather than first or second? Risk culture is important in deciding how an organisation responds.

4. Fundamental to the consultation is concern about the quality of external audit assurance and corporate failure – what are your thoughts about our relationship with ‘x’ and their effectiveness?

IIA: Be prepared to give your opinion. Are you having sufficient conversations to form an opinion? The Redmond Review, talked about the value of a strong relationship at this level without compromising independence, although public sector this message cuts across all sectors
Comment: Despite a good relationship, conversations have always been a relatively box ticking exercise due to different materiality concerns

5. Significant governance reform is imminent – how can I help you?

IIA: Disappointment about timeline for reform, no real commitment other than by the end of this Parliament
Comment: As CAEs we need to make a bid, get talking with stakeholders about what we do, demonstrate our value through our work and help our organisations frame what happens going forward. Great dangers but also huge opportunities too. We cannot sit back. We have to get out there and talk and bid for our natural role.

Act now!

  1. Read the Institute’s response to the BEIS consultation
  2. Look at the Audit and Assurance Policy in the 2021 3i Group plc Annual Report (page 99). Might it meet your organisations requirements?
  3. Use the new technical guidance
  4. Talk to your audit committee chair about these questions. Focus initially on the AAP and the role of internal audit
  5. Start a regular dialogue with your audit committee chair about the future of internal audit (your remit, your skills for the future and the risks) presented by the concept of corporate auditing

 Click here for the presentation slides.

Chair's closing comments

At our next session on 22 September, we will use Risk in Focus 2022, as the basis for discussion.

The IPPF is currently under review. Please take time to complete this IIA Global survey by 31 August.

Our Internal Audit Conference is open for booking – click here for details.

Please contact, derek.jamieson@iia.org.uk, if you are interested in sharing your experiences on a particular topic with this forum. There is real benefit in sharing as collaboration helps us all to develop and improve.        

Click here for information on all of our virtual forums, special interest groups and regional networks.


Chat box question

Q: The key question for us, as a charity, is whether we will come under the definition of a PIE? Does the IIA have a view on the PIE definition?

IIA: Here is an extract from our consultation response that directly addresses the consultation question ‘should the Government seek to include large third sector entities as PIEs beyond those that would already be included in the definitions proposed for large companies? If so, what types of third sector entities do you believe should be included and why?

The Chartered IIA does not believe the Government should seek to include large third sector entities beyond those that would already be included in Option 1. This is because Option 1 will already capture most of the third sector organisations of a size and scale that can be regarded to be of public interest, and the Government must be careful to ensure it is reasonable and proportionate in its approach to widening the definition of a PIE. We would further add that in terms of third sector organisations covered by the new PIE definition, the Government will need to be mindful that these organisations have distinct governance arrangements, that differ from the private sector. We would therefore encourage close dialogue and collaboration with the Charities Commission, NCVO and other third sector stakeholders on these matters.