Heads of Internal Audit Virtual Forum

22 September 2021

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Participants

Chair: Derek Jamieson - Director of Regions, Chartered IIA
InstituteJohn Wood - CEO, Chartered IIA 
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA

Chair's opening comments

This year’s Risk in Focus survey had an increased number of participants with 738 responses across 14 different countries.

Click here to access the report.


Key takeaways

Derek Jamieson, Director of Regions, Chartered IIA, said:

  • Boards and audit committees are increasingly using Risk in Focus as a sense check when approving the internal audit plans for the year ahead.
  • Internal auditors are using the Risk in Focus report to compare and contrast what is on their agenda and to provoke a conversation with key stakeholders.
  • The following have six risks have all been rising since 2020/21: Human capital, diversity and talent management; business continuity, crisis management and disasters response; climate change and environmental sustainability; organisational culture; and health, safety and security.
  • Responders to the survey indicated that they expect climate change to be an increasing risk as they look forward to 2025 along with digital disruption, new technology and AI.

Click here to access the presentation slides

Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA said:

  • The number one risk in the report (and it’s been the number one risk for the last four years) is cyber security and data security. 34% of Chief Audit Executives (CAEs) said this is their number one risk. Interestingly though, the data has shown that we are not spending as much time on this risk as its risk priority indicates we should.
  • Cyber criminals have exploited the move from office working to home-working and cyber security is set to be the perennial risk of the 21st Businesses have had to juggle competing priorities and operational disruption, and have had to ensure that their operating devices and networks are secure.
  • You may find our recent report Mind the Gap: Cyber security risk in the new normal useful to have a look at.
  • Climate change and environmental sustainability has gone up the rankings significantly in terms of the priority of the risk. We will soon be issuing a report entitled ‘Harnessing the power of internal audit on climate risk: A good sustainability guide for audit committees and directors’.
  • Following COP26, increased sustainability regulations are on the horizon, originating in the EU and UK governments.
  • Human capital, diversity and talent management – there is a lot of challenge in this space at the moment as organisations are struggling to recruit for vacancies. One recruitment firm has said that 46% of the workforce are actively looking for new jobs and that the reason for this is that over the past 18 months staff priorities have shifted, including requirements for flexible working.
  • We will have a report coming out later this year on corporate culture through an EDI lens.
  • Supply chain, end sourcing and ‘nth’ party risk – supply chain crisis can be impacted by other factors: worker shortages, changing regulations related to Brexit, and rising costs related to importing goods from China. Concerns exist around changes in consumer demands, challenges in the airline industry, challenges in global shipping, the phenomenal increase in costs for transportation of goods and challenges around HGV drivers.
  • Rising inflation and the global tax clampdown - inflation, particularly when coupled with increasing energy costs and a rise in national insurance have a significant impact on people’s budgets and their discretionary spend, and this creates a knock-on effect on sectors such as retail.
  • Pandemic response (from surviving to thriving) - as we come out of the pandemic, what have organisations learned? Perhaps the ability to diversify? As internal auditors are we doing things differently e.g. shortened audit reports, shortened audit engagement, more focused work, etc. Are we focused on business-critical risks?
  • Fraud, bribery and criminal exploitation of disruption - a lot of focus around fraud is around external fraud but the risk of internal fraud remains and potentially will increase.
  • The Chartered IIA has launched a fraud forum – contact Jamieson@iia.org.uk for more information.

Institute's comments

Internal audit is auditing amid rapid change

While the economic recovery is promising following the deepest global recession in living memory, businesses are contending with critical supply chain issues and inflation risks

Production costs have risen at a rate not seen for decades. Businesses are struggling to forecast demand for their products as virus infection rates and consumption continue to wax and wane. This uncertainty and disruption is being felt end-to-end through supply chains

Organisation who do not take immediate action regarding climate change face the genuine risk of extinction.

The world has changed. Internal audit must change too.


Chair's closing comments

Thank you for all for your participation in a very productive session.

Our next meeting on 13 October will be on fraud.

Finally, notes, chat comments and the slides shared today will be placed on our webpages in the next couple of days.

Thank you everyone and see you at the next session.

Forums for your information

HIA Forum

Monthly – Zoom

Presentations and interactive Q&A

Institute invitation only, contact

Liz.sandwith@iia.org.uk

Derek.jamieson@iia.org.uk

Local Authority Forum

Monthly – MS Teams

Presentations and interactive Q&A

 

Institute invitation only, contact

Liz.sandwith@iia.org.uk

IA Change Forum

(agile working)

Ad hoc self-help group sharing practical insights and ways of working

 

To join these groups contact

Derek.jamieson@iia.org.uk

 

 

Data Analytics Working Group

Ad hoc self-help group sharing practical insights and ways of working

Fraud Forum

Ad hoc self-help group sharing practical insights and ways of working

To join this group contact

Derek.jamieson@iia.org.uk

 


Chat box comments and discussion

  • Contributor: This report rings very true for me in my financial services organisation. If I take my company’s strategy over the next five years, the top risks in the report are very closely aligned. Changes in laws and regulations are also very challenging in financial services and, as internal auditors, we need to get controls designed and built into new processes. We also though have a considerable challenge to attract the right people with the right skills and then to retain such people.
  • Contributor: A lot of these risks reconcile with our risk profile right now, in particular climate change and cyber security. My organisation is currently reorganising our group audit function around cyber, as traditionally it’s been on financial, commercial and IT, but it will now include IT general controls, detailed cyber security auditing and data analytics.
  • Contributor: Regarding the mismatch the report showed between resources allocated to risk significance it was not a surprise to me. Maybe the skill set of future auditors needs to change to include those who understand gender pay gap and in the case of my organisation, water usage ratio.
  • Contributor: This report makes it clear how the planet is facing some risks – in Colombia we are facing some additional risks that include social and political areas. Cyber, however, is definitely one of the main risks, and boards are increasingly asking how we can mitigate against this risk. 
  • Q: You mentioned that it is for the executive of an organisation to set the strategy and not internal audit – could you please comment on this as it seems intuitive that this would be the case.
  • A: This is a valid question, but it may not be as intuitive as we might expect it to be. As internal auditors we think sometimes that we have the responsibility to advise (or more strongly than advise) our senior management team. But, for example, something like climate change and the setting of strategy around that, this is something that the senior management team and the board need to do. Where internal audit can add value around this is that we would give some views around risks identified or share some views around the controls that management have put in place to mitigate the risks in relation to the strategy. It is important to be clear around roles and responsibilities.
  • Comments: In the public sector construction inflation is a major risk for government projects.