Heads of Internal Audit Virtual Forum

26 January 2022

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Participants

Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA

Chair's opening comments

At our last session, John Devine shared reflections and also looked ahead to 2022, as another year of challenge and uncertainty. He commented that there is opportunity too for all organisations if they look for it and take advantage of it. His message was clear that internal audit has considerable value to add in the current environment and that all heads of audit need to up their game from whatever level they are at.

Our panel guests today focus on audit planning, the challenges of raising the internal audit bar and addressing risk priorities.


Key takeaways

Tshego Modise, Head of Internal Audit, De Beers

To deliver the plan, a skills gap was conducted. Team development will include data analytics, training around ESG issues and collaboration.

  • Risk volatility has resulted in moving from twice yearly to quarterly plans
  • The following topics are included in the 2022 internal audit plan:
    • Governance of ESG and delivery of sustainability goals
    • Consultancy work around climate risk management
    • Cyber assurance and incident management remains a priority and will this year include a focus on data privacy
  • Establishing a three-year framework for auditing culture, including behaviours. We started with pilots last year, for which there was mixed reaction from management. It’s a journey: we are taking baby steps to bring stakeholders with us
  • Human capital continues to be important. With it comes a focus on talent management and retention recognising the impact of a restructure programme and the pandemic.

Sandeep Das, Head of Internal Audit, St Johns Ambulance

Our audit committee is reminded that the assurance they will have received by the end of the year will look different to the plan being signed off now as we will adapt to changing priorities.

  • Our focus themes are similar. We are looking at cyber, culture and human capital but with more of a focus on retention
  • As a small audit team, it is imperative to leverage the work of other assurance providers, particularly in more specialist areas such as cyber
  • Digital transformation is high on our agenda as it is for many not-for-profit organisations
  • Being alert to issues and the experiences of others within the sector is important – for example the Red Cross data breach, which affected 500,000 customers and 2,000 staff members. What can we learn from this for our audit plan? As we have limited resource, we can share these types of risk stories with stakeholders to raise awareness of the issues
  • Maintaining comfort with general controls around IT and finance, the spirit of US SOX, and JSOX - even though they are not applicable to us
  • Culture and fraud are part of every audit engagement. Information will be added moving forward

Michael Smith, Head of Internal Audit, Allianz Ireland

Our role as HIAs is strategic: knowing and understanding the key risks, contributing and advising at the top table and liaising regularly with the audit committee chair to provide insight. Upskilling internal auditors for the future is important as is flexibility in the plan, leaving some spare resource for the unexpected.

  • Our audit priorities are around culture, cyber and climate. These priorities are clearly signposted in the Chartered IIA's Risk in Focus 2022 report
  • We have already completed standalone culture audits. These will be factored into our audits as cultural questionnaires and questions within work programmes. This will be used to create a macro view as the year progresses
  • We've taken deep dives in recent years. We will now attend meetings and use regular CISO discussions to stay close to cyber culture as an issue. A more agile approach is needed rather than planned audits
  • ESG focus across the entire group will be supported by training and workshops. Our organisation has set some challenging targets around decarbonisation. In addition to regulatory requirements now and in the future, this is going to be a critical area for internal audit to support the organisation. This they will achieve by auditing the target setting process and reporting on progress of it
  • Financial services regulation drives a huge part of the audit plan; operational resilience, outsourcing, new accountability regime SMCR and IFRS17.

Institute's comments

The similarity of themes for the audit plan from such diverse organisations is fascinating. The need to assess and update skills in relation to both current and, importantly, future assurance needs will ensure our profession is raising the bar and delivering value. Collating information from each audit to form a macro view for the year is insightful and a good use of resource. A different perspective on risk was given at a business leaders event pre-Christmas. A ‘worry list’ was created - the majority attending were CEOs and CFOs, along with some HIAs. They flagged that supply chain risk was keeping them awake at night, followed by recruitment/retention and, behind that, global tensions. HIAs need to stay close to the business and what is on their worry list.


Chair's closing comments

There was a lot of information shared today by our speakers. Let’s keep a high level of collaboration going forward at future forums. Thank you.

For details on how to attend our new fraud forum and/or our established data analytics forum, please contact Derek Jamieson on email at derek.jamieson@iia.org.uk.

Our next HIA forum takes place on 16 February and will look at what it means to be a brave leader. You can explore our full HIA forum programme here.

Lastly, please send in your nominations for the 2022 Audit & Risk Awards. Click here for details.


Chat box comments and discussion

Q to TS: Are you able to discuss in more detail how you have approached auditing culture?

A: Our framework for auditing risk culture is still in pilot phase. As part of that pilot phase, we have looked at our values and focus in the following three areas: behaviours against set values, using different data sets, surveys and whistle-blow hotlines channels. In essence, we are still building this framework. We have further pilots scheduled this year as part of planned audits which will look at building culture specific tests/questions. We are also thinking about what we can do post set audits.

Q to TS. Is this risk culture or a wider focus?

A: Risk culture

Q to TS: How have your culture audits gone? How have they been perceived by stakeholders?

A: They've received mixed feedback, including some welcome insights and added red flags. The main issue has been value add vs effort that goes into the added focus on culture, but we continue to engage.

Comment: As a profession, we probably don't make the best use of subject matter experts. Great point about working with the experts when resources are tight.

Comment: We engaged our non-execs on our journey of auditing culture. It wasn’t perfect to begin with but it covered the basics, and became the building block for thematic and embedded audits. We score questions within each audit, which is very transparent for reporting. We are now working with academia to improve our framework.

Comment: Having placeholders in the plan is useful and works well with a 6+6 plan (present in January for the first six months, and then July for the next six months). Being agile in planning has gone down well with stakeholders.

Comment: We did a corporate culture audit many years ago - based the audit on COSO light. I am sure things have moved on but it did the trick.

For technical guidance around auditing culture, click here.