Heads of Internal Audit Virtual Forum
2 November 2022
Please note:
- All Institute responses are boxed and highlighted in blue
- Where the chair comments in that capacity, the box is highlighted in yellow
- For confidentiality, the identities of all delegates/attendees are anonymised
Participants
Chair: Derek Jamieson, Regional Director, Chartered IIA UK and Ireland
Chair's opening comments
Good afternoon everybody. I am Derek Jamieson, Director, Regions for the Institute. Welcome to this afternoon’s Heads of Internal Audit Virtual Forum.
Today, we are focusing on Resilience. For some, Resilience is potentially one of those terms which seems to have risen rapidly in prominence, potentially just a flavour of the month topic which will wane again over the coming months. For others perhaps an unnecessary addition to the audit plan.
Clearly, this is simply not the case. The focus on resilience is essential and internal audit certainly have a role to play in supporting the organisation.
What does resilience mean? What are we seeing? What concerns us most? What is the IA role? These are four relatively basic questions which we are going to respond to today.
My guests are Elizabeth Young, Partner in Azets. Elizabeth leads an internal audit team which focusses primarily on the Public Sector. She has insights drawn from the organisations her team supports both at operational level and from Audit Committees.
My second guest today is Liz Sandwith from the Institute. Like me, Liz speaks to a wide range of organisations every week and therefore has a considerable level of insight to share.
The session is very much a discussion between the three of us. At times I will open the floor for other contributions so please feel free to offer comments or questions in the chat as the conversation progresses and I will endeavour to pick them up.
|
Key takeaways
Please find attached a copy of the slides for the session. Notes below are supplementary.
Some key initial thoughts from Derek Jamieson, Chartered IIA
- Resilience is not just about Business Continuity Planning – it’s about being adaptable, flexible, elastic and sustainable.
- Leadership, Process, People and Product each form part of an organisational resilience framework. All areas are interrelated and impact upon each other.
- Internal audit is at the heart of perfect storm in many organisations. This storm represents an environment that none of us have experienced in before.
Thoughts from Elizabeth Young, Azets:
- Resilience is becoming a more prominent part of discussions with senior management and audit committees.
- Pre-Covid, these conversations were more process driven in nature. Resilience was something that didn’t really come up despite all the information on the slides shown.
- We found during the Pandemic that a lot of our clients didn’t use their BCPs directly as part of their response but despite this they were generally happy with the arrangements they put in place and how they adapted. This has driven a shift in thinking about business continuity from being quite prescriptive to thinking more widely and using risk-based analysis.
- Audit committees have been concerned about the understanding of how decisions taken had impacted on staff, whether internal controls had suffered. There was a recognition that resilience of the organisation was wider than simply infrastructure or IT.
- Supply chain resilience is now often raised. In the past, organisations thought about their own business continuity but not of their suppliers, which they have now started thinking about more, including seeking assurance in this area. This has challenged conventional wisdom around procurement.
- There is a danger of complacency if an organisation didn’t use their BCP in the Pandemic as they could now question its worth.
- Investing time into understanding what’s business critical is key, even if an event that transpires isn’t directly captured in a BCP, there will be greater understanding of the risks around an event and actions to take.
- When there are resource shortages, or a crisis situation, it is imperative that there is an understanding of what is business critical and what can wait – how can resilience be built into such a team in those circumstances? What options do we have to help achieve some resilience, e.g. temporary staff/secondments? Internal audit can go in and offer recommendations as to how the organisation can address these issues.
Thoughts from Liz Sandwith, Chartered IIA:
- Internal audit is struggling in lots of organisations. Struggling with vacancies, absences, carrying vacancies – with some organisations not allowing recruitment because of uncertainty – but expectations of plan delivery/annual audit opinion remain.
- It’s becoming more challenging for internal audit to be resilient as a function. We’ve frequently talked about the use of data analytics and other tools and being adaptable and agile to respond faster. A lot of functions are still struggling to get their organisations to embrace new tools and approaches.
- We need to embed resilience into internal audit’s objectives and make sure we are more involved in transformation, projects, and system implementation to look to provide real time assurance.
- We probably need to do more in an advisory capacity, e.g., involvement in working groups looking at solutions.
- Internal audit needs to be more candid with our organisations. How can we encourage them to think more widely and out of the box, not just assuming that because we’ve dealt with the Pandemic, we’ll be able to manage anything?
- There was a lot of surprise that crisis management/business continuity planning wasn’t scored more highly in Risk in Focus 2023.
- Is internal audit involved with stress testing in your organisation? When does it hit perfect storm territory?
- Internal audit has the unique opportunity to be the conscience of the organisation and think about the challenging question we ask of the organisation.
- We are unusual in that we have a holistic view of the organisation, and this allows us to see what is working well and what could be shared with/across the organisation. For example, today – do we take information from conversations like these back to the organisation? Insight and foresight are key.
Thoughts from Derek Jamieson, Chartered IIA:
- There is a potential weariness from people now who don’t have capacity to take on more, and events that in the past might have been manageable in their own right, are now coming in waves to people and departments that are already stressed and stretched, with their own personal resilience being lower – a change fatigue is now commonplace.
- It’s not clear how resilience is being considered properly in the context of delivering the organisations strategies internal audit has a role to play here.
- It’s important that if we are monitoring situations, we use the information we have to hand from the work we have already done.
- Internal audit needs to connect the dots when we complete audits. Consider the organisational resilience framework and the potential for a failing in one area to impact another, potentially elsewhere in the organisation. Share this knowledge and information.
- A final thought – Providing a view on organisational resilience is surely a core part of the job we do.
Chair's closing comments
As usual, notes, chat comments and the slides shared today will be placed on our web pages in the next couple of days.
A couple of updates for you before we close:
- Wales Conference – Postponed due to the rail strike. A date being reset for late January 2023. Very disappointed but will use the time to further refine our approach for the day.
- Scotland Conference on 1st - 2nd December - we have a strong line up of speakers, including from organisations such as Audit Scotland and Scottish Government.
And finally, our last session for 2022 will be on the 7th December and will focus on Fraud. Our Fraud forum was initiated earlier this year and with membership steadily increasing we thought it was time to ask them to share what they have been focussing on, some of the insights they have gained and their intentions for next year’s agenda. At this meeting we will also run a short poll to understand a little about what you would wish from this forum next year.
Our next LA IA Forum on 23rd November is on Effective Communication and Reports and we’ve Data Analytics Forums scheduled on 10th November and 14th December – please contact mandy.coleman@iia.org.uk if you’d like to be added to the mailing list about these.
Please visit our Events section for further details.
|
Questions/Chat box comments
Comment: Business resilience is highly dependent on People resilience. Especially given the pressure on people today. There is a general weariness amongst people and resource constraints are happening in all departments, just when we’re needing more resilience. I think there is still too much focus on "Recovery" from a major event rather than ongoing ability to manage ongoing changes and stress.
Comment: I think that in the past, we have tended to look at disruptive events in isolation, e.g., major transformations - things that happened one at a time and could plan for these, with some recovery time in between. The perfect storm illustration shows how we are experiencing multiple events, either in parallel or in rapid succession. A resilient organisation is one that can roll with the punches and come out stronger at the end of the sequence.
Response: Agreed. We've also started thinking more about layered risk and what happens to otherwise well controlled processes when resilience comes under pressure - obviously this is more of an issue for manual processes and controls. We need to be able to use Management Information in a meaningful way too.
Comment: Collins Dictionary word of the year = permacrisis!
Comment: The unpredictability of climate change related events is an issue. It is part of the permacrisis that all organisations may not have adequately considered. There is a perception that climate change is for the MPs to deal with and for internal audit to deal with the more ‘concrete’ issues. Climate change is causing issues with huge impact.
Question: May I ask who has avian flu on their organisations risk register and the consequences that may flow from that?
Answers:
- I know the Chief Vet for Wales has it on their Risk Register - but I doubt it is elsewhere...
- I have seen it at a previous role.
- We have any outbreaks on corporate Risk register (new flu strains, covid variants, monkey pox etc)