Heads of Internal Audit Virtual Forum

24 June 2020

Please note:

  • All Institute responses are boxed and highlighted blue.
  • Where the chair comments in that capacity this box is highlighted in yellow.
  • For confidentiality, the identities of all delegates/attendees are anonymised.


This week, we turned our attention to the second line of defence i.e. the risk function. Our guest offered his reflections on the impact of the current pandemic, primarily in relation to the overall response of his firm and the risk relationship with internal audit. He also provided some thoughts on responsibilities at societal level, along with his perspective on the challenges ahead for internal audit and how some of these could be addressed.

1. Adaptability – There are massive shifts in customer behaviour, including how people spend on their credit cards, and how people are restocking their businesses. We’re also seeing people change their strategies, and new regulations come into play e.g. IFRS9. The evolving macro-economic, societal, and geopolitical conditions play into that. However, if we’re flexible and adaptable, we can seek out and create opportunities. Adaptability will be a key skill for the 2nd and 3rd

2. Digital and Customer and Colleague Engagement – We are now all digitally communicating with one another. Prior to now, if we had been asked to spend eight hours a day engaging digitally with others, we might not have welcomed it. However, it has been quite successful. This new engagement model and how we engage with our customers digitally going forward will be vital. Lots of people at this moment in time are very worried about what the current situation means for them personally. We all have a lot of colleagues working remotely and there are opportunities for us to digitally reset the strategy and accelerate it, where needed. There is no doubt that if we do not do this, we will get left behind.

3Risk Management – Vital to the 3 lines of defence is how the 2nd and 3rd line cooperate. Risk assurance, monitoring, risk appetite and how internal audit oversees the risk function to make sure that its engagement with the 1st and 2nd line is working effectively – these are vital to the stability of any organisation whether in financial services or other sectors. There is an opportunity here for a rethink and a reset. Data driven risk management capabilities are essential. True data (real data) to weather economic downturn and taking calculated risks to help customers and businesses that urgently need support will be vital. The reprioritisation of emerging risks and top risks of organisations will reset themselves and this will afford us an opportunity to really think about what the most pressing matters are.

4. The 3 Lines of Defence - Data driven solutions between the 2nd and 3rd line will be vital. Some colleagues in the 2nd line are predisposed to become good auditors. Some colleagues in the 3rd line are more entrepreneurial and by background are probably good risk managers. Establishing where that collaboration between the 2 lines can coexist safely for organisations is very important. The biggest challenge right now in the 3 lines of defence is the new operating models.

5. Where the reset is now happening - What we need to challenge across all sectors with more people working from home is:

  • what is the oversight model?
  • how do you oversee what is happening?
  • what is the culture of decision and risk taking?
  • how is data protected?
  • how do you create a culture when people are not coming into the office?
  • how do leaders lead, remotely?
  • how do you spot talent?
  • how do you develop talent?

These are new issues and new opportunities. For new audit managers and risk managers of the future, collaboration between the 2 lines will be vital.

6. Operational Efficiency – One of the reasons why the 2nd and 3rd line need to cooperate and collaborate is because when times are challenging it is important that resources are allocated intellectually. They need to be allocated against those matters which will create regulatory risk, reputational risk, large operational risk issues. The difference between success and failure will be about prioritisation. Automation and advanced analytics and the ability to use AI (artificial intelligence) capabilities will increasingly be needed in the 2nd and 3rd A lot of this technology has been invested in the 1st line, but the 2nd and 3rd lines need the skills and capability to be highly efficient, as they will need to keep pace with the technology changes.

7. Building Trust – A number of years ago the banking sector became untrusted. The credit crisis created a barrier between customer trust and the financial institutions. It was vital that banking has sought to restore that trust over the last 10 years, but it did not ever get there fully. However considerable work has been done by banks and the regulators to restore and build trust – but that is only the start of the journey. There is an opportunity now though, because if our customers are facing a crisis, it is our crisis as well. Our ability to meet customer’s unique needs will be essential.

8. Protecting Customers – In times of crisis fraudsters and organised crime will seize the opportunity to expose the most vulnerable customer groups. The 2nd and 3rd lines need to anticipate this, and they need to hold the 1st line to account for the risk taking in the 1st The stresses and the friction for vulnerable people needs to be minimised.

9. Connectivity – The ability to reach all team members face to face in a large function is very limited, but there now exists an opportunity to reach the whole organisation virtually. It took this pandemic for us to realise that really that capability was always there. Some of our colleagues may feel isolated – and some of our customers will want to see us face to face. So, while connectivity is easier than ever, we will still need to have face to face opportunities going forward.

10. Credit Risk – While the loss of life from COVID-19 has been dreadful, there are many people who are suffering economically from the pandemic and we have a responsibility when the next wave of it hits to help and protect the most vulnerable in society. There will be a credit wave and it will structurally alter the way we go about doing business together. The impacts of this will only be really felt once we stop payment holidays, and once we stop lending to businesses in distress. It will impact the last quarter of this year and the first three quarters of next year. The true effects of COVID-19 will then be seen.

11. Climate Risk – The impact of climate risk to the world cannot be understated. If we do not adjust our economy to be climate friendly and CO2 emissions free, and advocate for zero carbon footprint, then we will have a bigger problem than COVID-19. The skills of internal audit and risk management need to consider the significance of climate risk.

Chair's comments

Finally, as today’s session draws to a close, I would like to thank you all for attending and for contributing to our discussion. Special thanks also to our guest panellist.

We are very keen to get your feedback about this Forum, in terms of both the format and content. This will be invaluable for shaping future meetings and making sure they meet your needs. So, please do share any thoughts with Liz Sandwith (liz.sandwith@iia.org.uk) or Derek Jamieson (derek.jamieson@iia.org.uk).

And of course, we will happily take further questions outside of this forum as part of our ongoing approach to the COVID-19 crisis. So please do get in touch if there is anything else, we should be looking at!

Chat box comments from attendees

Alongside the previous and current business working relationship, how often do internal audit challenge you as risk management? Is there any basis between the 2nd and 3rd line risk “registers”?

From an efficiency perspective for the 3LODs, do you have/considering a more joined up 'assurance map'? If so, what is your approach?

Response to the questions from the speaker

We work very closely with the third line in building alignment of both the risk profile and oversight and assurance monitoring plans. Full coverage is, of course, important, but so too is the ability to calibrate the top and emerging risks analytically and thematically.

One thing I’ve found useful is swapping talent or augmenting capability to in house train capability for new or material risks. The big challenge remains around non-financial risk and the quantification and identification through the three lines whilst remaining effective and efficient. As the second line becomes more truly independent, specialists will need to have the skills to oversee and challenge the first line. The need for highly skilled talent is an ever increasing challenge especially in cyber, technology and model risk.