Heads of Internal Audit Virtual Forum

22 July 2020

Please note:

  • All Institute responses are boxed and highlighted blue.
  • Where the chair comments in that capacity, this box is highlighted in yellow.
  • Where the interim CEO comments in that capacity the box is blank but highlighted.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

This week’s forum was a question and answer session where the Chartered IIA answered questions from participants in relation to qualifications, training, the Institute, and its activities.

1. Would members be happy to share examples of live assurance outputs produced during the COVID-19 period, for example on climate change and culture, sharing experience and best practice facilitated through the Chartered IIA? 

Institute's comments

We are all in a process of learning at the present time, continuing to deliver the highest level of assurance to our stakeholders. Anything that we can share would be beneficial. Over the last 19 weeks, if nothing else, we have learned to work collaboratively, and this forum has been a great way of doing that.

If anyone is willing to share either verbally or in writing, any of the live assurance examples that they have prepared, the Institute will make sure that they are anonymised and included on the Chartered IIA’s COVID-19 Hub.

We have a timetable for the sessions moving forward and culture is going to be part of that. I would anticipate from what has been said in these forums previously, culture in organisations has changed significantly during the pandemic. Therefore, understanding now, whether we have the culture set by the board, that it expects to see across the organisation or whether the culture has evolved, and the board are behind the curve, are interesting points to explore.

The work that internal audit could do around culture, across all areas of the business is going to be incredibly helpful for our key stakeholders to understand the business, how it is functioning in the ‘new normal’ and what the impact of COVID-19 has been.

2. Chartered by experience (CBE) qualification - Is it relevant in the current scenario and going forward? A question from someone considering doing CBE, seeking permission from their line manager who is outside of internal audit and posed the question to them.

Participant invited to share their thoughts (CBE panel member)

The CBE route is an excellent way of gaining the qualification and becoming a Chartered Auditor. It is relevant and potentially even more relevant now from what we have seen over recent months and the changes in the profession we have seen over the last couple of years. The syllabus is relevant, and the subject matter is relevant - it is a mark of professionalism that we should all have.

There aren’t any examinations  to sit, as it is based upon personal experiences to date, undertaken through a panel interview, makes it accessible to those who perhaps do not want to go through the examinations route. The strength of the panel interview process also means that the candidate can be asked current and relevant questions. 

Institute's comments

The Chartered award is the pinnacle qualification for our future heads of internal audit. It says something about commitment, their dedication to the profession and it says that they have gone through a rigorous process, appearing before a panel of their peers, sharing with them a presentation, and answering questions. Demonstrating to their peers that they are appropriate to be deemed Chartered.


Interim CEO comment

It is useful, particularly in changing times, having such an assessment that is very current, up to date and on point in the situational context.

To what extent does that come through when doing panel interviews?

Participant invited to share their thoughts (CBE panel member)

Some of the topics that have been set for candidates are around their experiences during the COVID-19 situation are very up to date. They have been asked about how their internal audit function has evolved during the crisis and the sort of work that they are doing now that they weren’t doing six months ago.

In answer to the following chat box question - “do any other similar professions have CBE routes?” - yes, the Institute of Risk Management has a similar way of gaining their qualification.

Regarding the question on statistics for first time passes: Many do pass first time (the pass rate is approximately 90%) which is expected in many ways. Candidates have the opportunity to ask questions about the process before the final stage (the interviews). Not everyone passes, but, at the same time, the calibre of people going through the process has increased over time.

3. CIA qualification - I have noticed that some public organisations will no longer accept CIA and only accept CMIIA. I have seen jobs posted for audit managers and internal auditors where they specifically state that you have to have the CMIIA, other educational qualifications would not be sufficient.

Institute's comments

The Institute is unaware that some organisations were not accepting CIA. It is the global qualification for professional internal auditors. It would be helpful if some examples could be shared of organisations who are not accepting CIA. From conversations with colleagues in the public sector they do accept and put their internal auditors through the CIA qualification.

The CIA is the qualification in the UK now for practising internal auditors. All internal auditors who want to undertake a professional qualification tend to do CIA.

The Chartered IIA also have a Certificate in Internal Audit and Business Risk, that is not an exam based qualification, it is based on experience and aimed at candidates who are likely to do a relatively short period of time in internal audit, maybe two or three years and then moving on whereas the CIA is for a career internal auditor.

The CMIIA is the next level up to the CIA, the management level certification and the Institute would encourage internal auditors to take the next step and achieve the CMIIA designation, especially if they see their career in internal audit.

Participant invited to share their thoughts

We certainly look at CIA for our internal auditor level staff, but we require CMIIA for our more senior staff. The CMIIA demonstrates that staff have the skill set, particularly the soft skills to take forward work as an audit manager/head of internal audit for our clients. In addition, our non-executive directors are keen to ensure that we have a highly professional service that we deliver to all our clients. I did the exams for CIA and then the CBE. Personally, I think that the CBE is a stronger route to go as it tests the soft skills more. I have some members of staff who are Chartered and to me, do not yet have the range of soft skills to be working at a more senior level, but were able to pass a technical exam. I would strongly encourage the CBE route; it provides us with assurance that the individuals have the range of skills that I think you need for that more senior level. 

Chair's comments

We are currently refreshing our job pages. As part of this, we are adding narrative around, ‘what are the skills and attributes of internal auditors at different levels in the internal audit organisational structure’. As you move up that structure the soft skills become more important.


Institute's comments

Following discussions, including those with recruitment firms, as we move forward, there will be an expectation that internal auditors have the technical internal audit skills, including an understanding of data analytics. In the more senior roles, there is a need to be able to demonstrate leadership, the softer skills – the ability to communicate and negotiate as part of our job.

What the Institute is also hearing is the need for a commercial perspective – really understanding the business, the commercial elements of the business. Where is our revenue coming from? Where are the cost savings?

HIA/CAEs in many organisations now have a seat at the top table that the internal audit profession fought long and hard to get, but as a HIA/CAE sitting at the top table there is a need to demonstrate the value they add to the organisation.

As an Institute there are a couple of things that we need to do more of – commercial training and soft skills training, these are very much on our agenda.


4. As Sarbanes Oxley (SOX) is coming into the UK in the not too distant future, to what extent does the internal audit skill set have to change to accommodate responsibilities for auditing this? 

Institute's comments

It hasn’t been confirmed that SOX will be part of the UK environment yet. It is likely that government will do a consultation process, and they have used language such as ‘light SOX’.

The concern moving forward is that if you allocate responsibility for SOX testing to internal audit, along with the regulatory and mandatory audits they are doing, when will internal audit have the time to provide assurance around business critical risks facing an organisation?

When the internal audit plan is prepared and shared with the audit committee part of the discussions should be about the resources for internal audit. We have to be a bit more pragmatic and realise that organisations are going to be really struggling for a period of time moving forward. Internal audit asking for more resources might not be well received.

Consideration needs to be given as to where SOX sits. SOX requirements may be considered to sit at first line of defence and internal audit should audit to make sure that the requirements have been completed and completed correctly. Internal audit should then provide assurance around that.

I think that the Institute needs to do more work around this area and understand exactly what Government might be looking at.

Participant invited to share their thoughts

I worked in a Financial Services organisation when SOX came into force. It didn’t impact internal audit significantly, but it was a lot of time, effort, and resource in first line control teams who were responsible for SOX and SOX governance. It was very resource intense and the requirements for being registered on the New York Stock Exchange are quite painful. The key challenge for me was that it should not all be down to internal audit, external audit it there as well. External audit will have responsibilities in relation to SOX if it comes in the UK whether it be SOX light or not. This might be an opportunity for joint working. In terms of resourcing it, if it is going to come into internal audit, you are going to need a strong team with a financial background and financial qualifications.

5. Are there any plans for the Audit & Risk magazine to be reformatted to be read digitally?

Interim CEO comment

We have been on a learning curve - the next issue will have larger type so it will be more readable. We are not yet fully exploiting the opportunities available such as access to video and moving images – overall that is the direction of travel.

The first stage of the next issue is to make it more readable in terms of the larger print. There are a number of choices we have to make to get the digital magazine to where we want it to be - this could take more than one issue, but you should see an improvement with the next issue.

6. Does the Institute have any plans of providing a statement defining the role of the head of internal audit, setting out key responsibilities and personal attributes?

Institute's comments

It is a journey, but the Institute needs to make it very clear what the skills are that are needed moving forward across all the levels in an internal audit function.

We recently published a blog post for our COVID-19 Hub exploring skills for internal auditors post COVID-19 and have elsewhere done a Facebook live stream on the matter as part of our weekly Talk to Internal Audit live streams. In that live stream, we heard from a recruitment specialist who has worked in the internal audit world for a while and get some great tips to share for internal auditors changing roles.

7. A few questions over the last few weeks over training provision and the extent that training is viewed as the right price for the right items. Could it be quicker, cheaper, and more available?

Interim CEO comment

Training must provide a need for the members. A lot of our training is in support of qualifications, we also have our public training and we are also trying to evolve our public training to meet new needs such as the soft skills, the aspiration of a more commercial outlook, etc.

In terms of pricing, if there is demand, we will look at opportunities to get the training up and running.

Please communicate with us, let us know what you need, and we can then see if we accommodate those needs.


Institute's comments

The Institute ran a webinar 23rd July 2020 (8.30am – 9.30am) on reporting pre and post COVID-19.

From discussions with heads of internal audit over the last couple of days, they have been saying that ‘bite sized pieces’ at a reasonable price might be something they would be interested in, which links into the response from the Interim CEO.

Participant invited to share their thoughts

My concern is that we have about 80 internal auditors and it is about obtaining the 40 hours CPE they each require which is quite expensive. We could bring in a trainer and get a number of staff trained altogether at a reasonable price. Now with the online courses it seems to have gone up in price and it appears that only six to eight can attend some of the online classes. I am working with the Institute’s Training Manager, looking at some of the courses for our organisation but we are concerned about being able to comply with the 40-hours CPE.

We would normally have group events where we can train all staff together but because of COVID-19 we haven’t been able to do this. At the minute I do not foresee the majority of staff being able to fulfil the 40 hours

CPE and IIA Global requirements are quite strict with regards to education and formalised training. Reading the magazine no longer counts with IIA Global towards CPE. In terms of signing off courses that are not certified we would get the line manager to confirm the course has been completed. I would assume that going forward that would suffice that the training has taken place rather than having a formal certificate, but I haven’t tested that with IIA Global.

Participant invited to share their thoughts

I have a similar issue to the previous participant in that I can normally bring someone in and train 60+ people for half a day with three CPE points, often using free resource. This is what I have to do to deliver the training needs within the budgets that we have. My concern is the organisations approach to learning and development in that learning and development plans are 70% on the job, 20% through other forms and 10% classroom-based learning. That split does not fit with what IIA Global requires for their CPE requirements.

The other question I have is around certifications. If things like the Face Book sessions etc. which are very good, and I consider them to be part of CPE, how do we certify that? Make a note of the date/time they listened to the session and what was covered? Would IIA Global accept that when it comes to auditing CPE? Any further support and advice around some of that from the Institute would be helpful; or whether we as heads of internal audit can sign off on logbooks and that would count as certification? Certainly, some further guidance around how we can provide evidence on the type of CPE that would satisfy IIA Global’s requirements would be useful.

We would normally have an all-day CPE event in May that had to be cancelled and we haven’t been able to put in place the digital alternative. We are looking at allowing some people to attend parts of the digital Chartered IIA conference and other alternatives to assist staff in meeting their CPE hours.

Participant invited to share their thoughts

Training is a real issue for internal auditors in the Charity sector. The Charity’s Internal Audit Network (CIAN), undertake an annual benchmarking survey. The findings show that around 75% are not meeting the 40 hours CPE requirement. I think a lot of that comes down to not having training budgets in charities for internal auditors.

CIAN tries to provide a number of free opportunities, would IIA Global count these as certifiable training hours? I think it is about raising the profile of internal audit and making sure that leaders understand the huge value that internal audit can add when it is done well and therefore making sure that the budget is available for internal auditors to get the right CPE. 

Institute's action

The same message has been echoed by several people today about CPE. IIA Global meetings are coming up and if you could your share any information via email to Liz Sandwith (liz.sandwith@iia.org.uk) who will speak to colleagues at IIA Global re CPE clarity.


Chair's comments

We will do another question and answer session at some point in the future.

There won’t be a meeting next week (29th July 2020) as this will be the inaugural meeting of a new local government forum.

Looking forward, we took a vote on subjects to cover and the order in which to do this over the coming few weeks.

5th August 2020 sees the start our new season of forums. From the poll undertaken the highest number of votes was ‘build back better’ i.e. effectively how do we build audit for the future. For the Institute it is about how we help shape the future of internal audit. We will then move to fortnightly meetings.

19th August 2020 we will look at data analytics which will be followed by cyber and then culture. We will have another vote after the next couple of sessions to see if the order of running is still correct.

We will then move through to Risk in Focus 2021, a subject that wasn’t on the poll but we will be releasing Risk in Focus 2021 shortly and it is timely to share this at the forum and get some feedback. Then moving onto agile and ‘build back better’ part two – it is a big subject in terms of lessons going forward. The last three sessions of the year will be disruption, Brexit, and climate change. An agenda will be sent out in due course.

Finally, as today’s session draws to a close, I would like to thank you all for attending and for your questions and contributing to our discussion.

Comments or question please contact: to Liz Sandwith (liz.sandwith@iia.org.uk) or Derek Jamieson (derek.jamieson@iia.org.uk).


Chat box comments from attendees

Audit of response to COVID-19

Have other audit functions audited their firm’s response to Covid-19 crisis?

  • We have.
  • We audited our response to Covid-19.
  • We have not audited the response to Covid-19 per se but have audited the 'decision making trail' from a governance viewpoint.
  • We have audited the governance over our organisation's response to COVID-19.
  • We are producing a monthly dashboard covering the organisations ongoing management of Covid-19, splitting coverage across operational risk, credit risk, employee well-being, governance, risk culture and management information. 

Chartered by Experience (CBE) qualification route

Do any other similar professions have a CBE route?

I think the session held earlier this year in Dublin to give information on CBE was very useful - as many people are not very aware of the route and what's involved.

I would be interested to know whether/how many individuals don’t succeed first time through CBE?

I'm keen to do CBE, and my organisation had agreed to fund it, but the funding is now a challenge given Covid-19.

I think that the CBE enables ‘soft skills’ to be assessed better than the exam route.

  • I agree completely!


What about the CIA? I noticed that some public organisations will no longer accept CIA and only accept CMIIA.

  • I think that CMIIA is preferred for some, more senior roles for sure.
  • Very interesting. I don't think members fully understand the scope/benefit of the chartered qualification and believe it's just another flavour of CIA.
  • I do think that we need to be careful that we are not devaluing the CIA that people bring from other countries.

Audit & Risk magazine

  • A colleague has asked whether there are any plans for the Audit & Risk magazine to be reformatted to be read digitally, rather than being a digital issue of a paper magazine? He fully supports the shift from paper but finds the new digital version to be difficult to read, including when using the issue app.


What is the view of responsibilities of external versus internal audit, or potentially both working together? Really hope it is a light touch as it was painful in financial services for organisations listed on NYSE.

  • As a FTSE100 financial services company we have a SOX light team in the finance team already reviewed by external audit.


Yes, love the sound of bite-size training, especially in current remote working climate.

Continuing professional education (CPE)

Where we don’t have a certificate to confirm training, we ask line managers to sign an evaluation form. I would hope IIA Global would accept this if selected for an audit.

There are a number of charities who have zero training budgets for their internal audit teams. A high proportion of charities are not meeting the 40 hours requirement. Linked to what has been said, many are unclear as what officially can count towards CPE hours, for non-certified courses.

  • Agree we have the same challenges in the public sector and even more so now following Covid-19.

Has the IIA considered whether reading relevant articles on for example LinkedIn could count towards CPD?

  • Reading counts for the UK qualifications - PIIA, MIIA, CMIIA but not for the Global ones - CIA, QIAL.

Selling a week's worth of training per person is tough from a budgeting perspective with the wider organisation.

The Chartered Accountant qualifications allow good proportion of CPE to be personal reading, projects in work etc. Would be great if IIA could also align with that approach.

  • Agree - ICAEW is quite flexible.