Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA
Chair's opening comments
At our last session, John Devine shared reflections and also looked ahead to 2022, as another year of challenge and uncertainty. He commented that there is opportunity too for all organisations if they look for it and take advantage of it. His message was clear that internal audit has considerable value to add in the current environment and that all heads of audit need to up their game from whatever level they are at.
Our panel guests today focus on audit planning, the challenges of raising the internal audit bar and addressing risk priorities.
Tshego Modise, Head of Internal Audit, De Beers
To deliver the plan, a skills gap was conducted. Team development will include data analytics, training around ESG issues and collaboration.
Sandeep Das, Head of Internal Audit, St Johns Ambulance
Our audit committee is reminded that the assurance they will have received by the end of the year will look different to the plan being signed off now as we will adapt to changing priorities.
Michael Smith, Head of Internal Audit, Allianz Ireland
Our role as HIAs is strategic: knowing and understanding the key risks, contributing and advising at the top table and liaising regularly with the audit committee chair to provide insight. Upskilling internal auditors for the future is important as is flexibility in the plan, leaving some spare resource for the unexpected.
The similarity of themes for the audit plan from such diverse organisations is fascinating. The need to assess and update skills in relation to both current and, importantly, future assurance needs will ensure our profession is raising the bar and delivering value. Collating information from each audit to form a macro view for the year is insightful and a good use of resource. A different perspective on risk was given at a business leaders event pre-Christmas. A ‘worry list’ was created - the majority attending were CEOs and CFOs, along with some HIAs. They flagged that supply chain risk was keeping them awake at night, followed by recruitment/retention and, behind that, global tensions. HIAs need to stay close to the business and what is on their worry list.
Chair's closing comments
There was a lot of information shared today by our speakers. Let’s keep a high level of collaboration going forward at future forums. Thank you.
For details on how to attend our new fraud forum and/or our established data analytics forum, please contact Derek Jamieson on email at email@example.com.
Our next HIA forum takes place on 16 February and will look at what it means to be a brave leader. You can explore our full HIA forum programme here.
Lastly, please send in your nominations for the 2022 Audit & Risk Awards. Click here for details.
Q to TS: Are you able to discuss in more detail how you have approached auditing culture?
A: Our framework for auditing risk culture is still in pilot phase. As part of that pilot phase, we have looked at our values and focus in the following three areas: behaviours against set values, using different data sets, surveys and whistle-blow hotlines channels. In essence, we are still building this framework. We have further pilots scheduled this year as part of planned audits which will look at building culture specific tests/questions. We are also thinking about what we can do post set audits.
Q to TS. Is this risk culture or a wider focus?
A: Risk culture
Q to TS: How have your culture audits gone? How have they been perceived by stakeholders?
A: They've received mixed feedback, including some welcome insights and added red flags. The main issue has been value add vs effort that goes into the added focus on culture, but we continue to engage.
Comment: As a profession, we probably don't make the best use of subject matter experts. Great point about working with the experts when resources are tight.
Comment: We engaged our non-execs on our journey of auditing culture. It wasn’t perfect to begin with but it covered the basics, and became the building block for thematic and embedded audits. We score questions within each audit, which is very transparent for reporting. We are now working with academia to improve our framework.
Comment: Having placeholders in the plan is useful and works well with a 6+6 plan (present in January for the first six months, and then July for the next six months). Being agile in planning has gone down well with stakeholders.
Comment: We did a corporate culture audit many years ago - based the audit on COSO light. I am sure things have moved on but it did the trick.
For technical guidance around auditing culture, click here.