Chair: John Wood, Chief Executive, Chartered IIA UK and Ireland and Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA UK and Ireland
Chair's opening commentsGood afternoon everybody. I am John Wood, Chief Executive at the Chartered IIA UK and Ireland. Welcome to this afternoon’s Heads of Internal Audit Virtual Forum. We have moved today’s session at short notice because of the need for Derek Jamieson to attend an event in London today. Our apologies for the short notice of this change and I hope it has not been too much of an inconvenience to you. We are focussing on our annual report, Risk in Focus 2023, today. This year’s report has only recently been launched and we are delighted both with the response from members and with the level of media attention it has received. It is clearly a report which is continuing to build the profile of the Internal Audit profession and you are hopefully as pleased as we are with its trajectory. This is the seventh year that we have produced the RiF report and the number of CAEs/HIA contributing to the report has again hit a record number. This year we are faced with the longest and most significant list of challenges, risks and issues that any of us has seen during our careers. The challenges facing internal audit are inextricably linked to those facing our organisations. Quite simply we need to continue to raise our bar. As you will have read in the report we have reviewed and distilled the key messages from those who contributed to the survey and our focus has fallen on key issues which will be well known to many of you. This session is seeking to hear from you on your own views on the content and its relevance to you and your organisation. We have asked a small number of attendees to share their views with us all but we also ask for everyone’s contribution to this discussion as it will help draw out some additional insights that we may all benefit from. So, while you listen to our speakers share their views please feel free to share your own, either in the chat or by raising your hand and offering a verbal contribution. |
Please download your copies of Risk in Focus 2023. You will find the Board Briefing on the same page and follow the link to access the public launch of Risk in Focus 2023. Notes below are supplementary to the reports.
Some key thoughts from Liz Sandwith, Chartered IIA
Thoughts from Speakers:
Chair's closing commentsThank you for accommodating the move of appointment times and for sharing your thoughts and experience today. As usual, the notes and chat comments will be placed on our web pages in the next couple of days. Finally, a couple of updates for you before we close: The conference season is in full swing, and our four upcoming events are all available to book just now.
All have previously been a great success and offer the opportunity to reconnect in person across the profession. If you haven’t signed up already, please put the date in your diary and refer to our web pages for details. Also consider the conferences as an opportunity to reward team members who have excelled this year. Thank you everyone and see you at the next session which is on 2nd November and will focus on Resilience. Please visit our Events section for further details. |
Questions/Chat box comments
Q: I think that anticipating what might be coming down the track is not the weakness. Organisations are not good at assessing the impact of the events. For example, the war in Ukraine has been on the cards for a number of years, but the world has been very slow at assessing what the impact of that might be. What would the impact be on wheat, the supply chain, the cost of living. It’s not just about the direct impact but the impact that can happen three or four steps down the line that could impact my organisation.
A: That’s a great point. For example, I remember talking to my audit committee after the Patisserie Valerie incident – do we know what our FD is doing for example and the first response was ‘we don’t do coffee and cakes.’ Don’t get focussed on the sector – focus on the scenario. We need to think about whether we could be next and what could we do about it.
Comment: That is a great point. I’d like to say that for organisations that were impacted by COVID and the Russia/Ukraine situation, the situation is different. We have a crisis management working party (meets monthly) with representatives from the business, CISO, Audit and Risk. An annual presentation is also made to the AC.
Q: Very interesting thank you very much. I feel good about my risk assessment being comparable to what we just saw in the presentation, my question would be that for some topics of risk for 2023 in here, how do we convert these into an internal audit/internal audit plan? Like with the macroeconomic and geopolitical risk, perhaps they are not supposed to be converted into an audit but into remediation and making sure that process/business decision owners do take into consideration this and act upon (risk management plans)
A: Good point. Perhaps the war in Ukraine and the pandemic, we did see signs it was coming. For example, with COVID, we saw it start out in the Far East and move across the globe – maybe we didn’t anticipate how devastating it was but we saw it moving. Likewise with the war in Ukraine, we could see the military preparations happening at the border, so there was a staggered approach we could watch and anticipate. Subject matter experts are saying that we won’t have that luxury with China and Taiwan – we’ll wake up in the morning and China will have taken Taiwan. When we’re thinking about BCPs, could we respond to an instantaneous impact on our organisation?
Comment: I work in the financial services sector and the regulator is very active. They do a number of tasks to get UK banks ready for a number of expected events. One of the things they’ve been doing recently is a cyber stress test at an industry level. They have a scenario which builds and unravels over time and banks have to respond to that. They also have continuous meetings with senior executives across the bank to discuss these things. There have been regulations in recent years to consider, e.g. what do you do when a bank suddenly becomes insolvent, how do you resolve that so you don’t materially disrupt the UK financial infrastructure? There are also regulations around operational resilience coming in. All designed to make banks more resilient, which aids thinking across the organisation.