Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Heads of Internal Audit and Local Authority Virtual Forum

27 September 2023

Please note:

  • All Institute responses are boxed and highlighted blue.
  • Where the chair comments in that capacity, the box is highlighted in yellow.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

 

Chair opening comments | Derek Jamieson | Director of Regions, Chartered IIA UK and Ireland

Today’s session highlights the Chartered Institute’s annual report – looking ahead to what chief audit executives think are the critical risks for the year ahead - Risk in Focus 2024.

 

  

 https://www.iia.org.uk/media/1693097/ciia-risk-in-focus-2024_final-web.pdf

Results of poll questions

Does the report resonate with you?

Yes 98% (91)

No 1% (1)

Are you finding issues with IA resourcing?

Yes 73% (45)

No 26% (16)

Does your organisation (non-IA) have resourcing issues?

Yes 91% (62)

No 8% (6)

Private sector – broadly what % of resource is used for consultancy work?

  -25%       =  66% (14)

25-50%     = 23% (5)

50-75%     = 4% (1)

75%+        = 4% (1)

 

Key Takeaways

  1. Organisations squeezed by tight economic conditions need an unwavering focus on resilience and a growth mindset to navigate the poly-crisis.
  2. In these unique and challenging times, CAEs must continue to work with boards to ensure the long-term sustainability of their organisations at the same time as responding rapidly to immediate, fast-moving threats.
  3. Our research highlights the significant challenges businesses are facing given the velocity and variety of interconnected risks. With the economy still in a fragile state, internal audit needs to be focussed on the increased climate-related pressures, geopolitical uncertainties, a dangerous cyber-risk landscape, inflationary pressures, supply chain issues and attracting and retaining the skills and talent needed to navigate more risky and volatile times ahead.
  4. For CAEs, being courageous and having the confidence to get their messages across, being brave and initiating conversations in areas where no answers exist, and collaborating across the business are critical strategies for success.
  5. The poly-crisis that we now face creates huge challenges for internal audit, but it also creates huge opportunities for the profession to exceed expectations and play a leadership role in building resilience for organisational success.

Click here for the presentation slides. 

Chair closing comments

I encourage you all to read Risk in Focus 2024 and share the key messages with your team and also your audit committee using our board briefing document.

Within the broad digital risk space is the topic of AI. Looking ahead this will be one of the focuses for our Fraud Forum and also the Data Analytics Forum – for some organisations/industries it presents an existential threat. Being part of the DA group helps improve audit efficiency and the resource challenge. Our forums are all about collaboration and moving the profession forward together.

A reminder that we will now do the HIA Forum every two months, the LA Forum remains monthly.

Chat comments including Q&A

  • All of these are big, complex issues that engage organisations in multiple specialisms and require co-ordinated, expert and dedicated effort to resolve and mitigate. Given the scale of the challenge these issues represent, is it realistic that the new draft Standards task that auditors: "must formulate recommendations [to] resolve the differences between the established criteria and existing condition"? Must internal audit have the answer in order to raise the issue?

          DJ response | Recognising it is not easy, but it is where we want the profession to get to with a better              understanding of broader topic areas and what good looks like. It is a good question for discussion at the            next forum which is all about the new Global Internal Audit Standards – LA Forum 25 Oct / HIA Forum 8              Nov. 

  • Does the IIA compare the principal risks that UK plcs disclose with the results of the Risk in Focus survey? That would bring out the current and emerging risks that the corporate sector identifies.

          DJ response| This is something we would like to explore but we will need to encourage a greater                      response to the risk survey to have a meaningful population to report on. The priorities might change                across sectors and locations but the narrative remains valuable. 

  • I share with the AC via our risk paper and compare with the risks on our own corporate risk register.
  • I like to look at the report and compare to the corporate risk register to see if there's anything missing that I should consider including on the audit plan. 
  • The financial sustainability of local authorities is an accelerating risk for many of us.

           Reply | and Housing (temporary accommodation).

           Reply | and staffing – lots of vacancies we struggle to fill. 

  • Our internal audit plan includes two appendices - one showing coverage against the Corporate Risk Register and the other showing coverage against Risk in Focus. This gives ARC members assurance that we are not missing any key review areas. 
  • I work in a local government context. I have used this as a reference point, also get ideas from an annual report produced by Mazars on local govt risks, also part of a regional group where we discuss emerging issues. Also use evolving risk register. I agree with Jonathan that financial sustainability is key in local govt at present plus increased demand on services (placements for adults and children). 
  • The report is too general to apply directly to our audit plan or principal risks & controls as these are specific to our company. However, it is a valuable sense check against global risks that we are not missing a black swan or dismissing something that is a global risk. 
  • I don't treat consultancy as distinct from assurance - we can get assurance on objectives & risk management from doing consultancy work.

    DJ reply after event | Thank you for raising this, it is a good topic to pick back up at our next meeting          when we discuss the Global Internal Audit Standards as there are potentially different perspectives on          what constitutes assurance and what is consultancy.​

  • To do dynamic auditing properly and adapt to emerging risks/issues takes certain skills and experience in the audit team. Established auditors are able to do this but we struggle with new staff coming in who generally struggle. This is a significant risk to the future of the profession as it can put people off from our line of work.

          Reply | I think this is interesting and not always consistent with my experience. I find a fairly widespread            and persistent belief among auditors themselves that their job is to assure process rather than risk                and control. I find this type of report helpful in moving past that belief at senior levels but I would be                  interested (outside this meeting) on how to engage more junior colleagues on these bigger issues.

          Reply | New staff tend to want the comfort of something that has been done before and auditing                        processes fits nicely into this. I also find that managers don't understand risks and the assurance we can            give and want us to focus on processes and tell them they have a good process.

          Reply | Think that is probably the key. It's not so much junior staff we need to reach but middle                          managers who grew up in a 'compliance' audit mindset and need to develop their understanding of risk              so they can lead operational staff in delivering effective IA work that keeps pace with management need. 

  • Many Heads of Internal Audit in the public sector are not members of this institute but members of others such as CIPFA. This might mean that the public sector dimension is a little lost. Would it be beyond the pale to ask those who are not CIIA members to contribute to the survey in the future?

          Reply | CIPFA do provide updates and risks for the new audit year for public sector focusing on LAs in                  particular. Similar risks appear to this report but more focused to the sector and UK.  

          DJ response | I cannot commit the Chartered Institute to a change of methodology but it’s interesting              to hear that translating the risks between corporate and local authority would be valued. 

  • Understanding the risk areas we face is a key knowledgebase for CAEs especially where we are trying to get the "Trusted Advisor" status so any publications such as this is really useful check. However we always need to focus on the specific risks for our organisations so sometimes have to move away from global risk report findings to be relevant to our organisation and not to be afraid to do so when we have evidence that our risks are not reflected in global reports.  
  • Supplier and outsourcing risk has a significant regulatory focus in FS and we have undertaken numerous pieces of work to provide assurance in this space. 
  • For info: The CAE Group in Scottish Councils has commissioned a risk in focus study covering local govt in Scotland, as a sector-specific risk analysis, to assist with development of Internal Audit strategy and plans for 2024/25. It is also currently collaborating with Sustainable Scotland Network, and Audit Scotland on developing climate change statutory guidance including the role of audit, and soon with CIPFA on sustainability reporting, all linked to significance of climate risks.