AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Heads of Internal Audit Virtual Forum

5 October 2022

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised


Chair: John Wood, Chief Executive, Chartered IIA UK and Ireland and Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA UK and Ireland

Chair's opening comments

Good afternoon everybody. I am John Wood, Chief Executive at the Chartered IIA UK and Ireland. Welcome to this afternoon’s Heads of Internal Audit Virtual Forum.

We have moved today’s session at short notice because of the need for Derek Jamieson to attend an event in London today. Our apologies for the short notice of this change and I hope it has not been too much of an inconvenience to you.

We are focussing on our annual report, Risk in Focus 2023, today. This year’s report has only recently been launched and we are delighted both with the response from members and with the level of media attention it has received. It is clearly a report which is continuing to build the profile of the Internal Audit profession and you are hopefully as pleased as we are with its trajectory. 

This is the seventh year that we have produced the RiF report and the number of CAEs/HIA contributing to the report has again hit a record number. 

This year we are faced with the longest and most significant list of challenges, risks and issues that any of us has seen during our careers. The challenges facing internal audit are inextricably linked to those facing our organisations. Quite simply we need to continue to raise our bar.

As you will have read in the report we have reviewed and distilled the key messages from those who contributed to the survey and our focus has fallen on key issues which will be well known to many of you.

This session is seeking to hear from you on your own views on the content and its relevance to you and your organisation.

We have asked a small number of attendees to share their views with us all but we also ask for everyone’s contribution to this discussion as it will help draw out some additional insights that we may all benefit from. 

So, while you listen to our speakers share their views please feel free to share your own, either in the chat or by raising your hand and offering a verbal contribution. 

Key takeaways

Please download your copies of Risk in Focus 2023. You will find the Board Briefing on the same page and follow the link to access the public launch of Risk in Focus 2023. Notes below are supplementary to the reports.

Some key thoughts from Liz Sandwith, Chartered IIA

  • It’s about the ‘perfect storm’ scenario – geopolitical tensions, supply chain, cyber, logistics, raw material shortages and financial liquidity.
  • Crisis is the new normal.
  • Cyber security is still number one, for the fourth year.
  • It’s useful to hold up slide 8 of the report ‘What are the top 5 risks on which internal audit spends
  • most time and effort?' in terms of where we’re spending our time vs. risks. Do we need to challenge ourselves and focus on the higher priority risks e.g., macroeconomic and geopolitical risk
  • for example, which is seen as a very high risk, but we’re not spending much audit time there.
  • Risks are becoming more interlinked and integrated now, recognising that risks really do span across the organisation, as opposed to thinking of buckets with risks in them. Think about fraud for example – it links to cyber, financial liquidity and to your organisation’s reputation.
  • Geopolitical risks are here to stay for the foreseeable future.
  • We need to reflect on all the risks and the challenges these represent.

Thoughts from Speakers:

  • Reduced focus on Business Continuity Planning (BCP) was a surprise. Could the fact that we’ve lived through a global pandemic have made us complacent, we think we can cope with anything? We need to remember the pandemic was just one type of scenario an organisation might face.
  • Culture falling down the list was a surprise also, and with regards to the interlocking of risks talked about – is this a reflection of a reduced level of resilience?
  • Brexit is having a big impact on trade, with a reduction of 58% being felt in Ireland in terms of trade with the UK.
  • We need to work out how we will plan as internal audit against the backdrop of volatility.
  • Could we do more around horizon scanning and anticipating what’s coming, together with how risks impact on each other?
  • We have recently conducted an audit of BCPs, following messages from the executive that they must be fine given they’ve survived Covid, which meant getting them into the mindset of thinking of other risks more widely, which was a tough message to feed back.
  • We got a great level of engagement with our BCP's using a cyber-attack scenario. This made it more real. We conducted a workshop and put the senior management team in the hotseat, which seems to have been really effective.
  • We moved to a six-monthly plan as an annual plan just wasn’t reactive enough.
  • One of the key things that resonated with me was risks around supply chain, which was a particular problem for my organisation at the start of the pandemic. Our resilience arrangements couldn’t work as we had planned due to the global impacts on supply chain.
  • We’ve been through a huge lesson learnt exercise because of the pandemic and we were clearly unprepared for the type of pandemic that presented. We’re now looking at scenario planning for different types of viruses.
  • Financial liquidity is also a key risk for us and the financial pressures on the public sector. We’re having to make huge savings which our financial plans aren’t making a big dent in. Financial liquidity affects every risk we have – e.g., recruitment, unfilled vacancies.

Chair's closing comments

Thank you for accommodating the move of appointment times and for sharing your thoughts and experience today.

As usual, the notes and chat comments will be placed on our web pages in the next couple of days.

Finally, a couple of updates for you before we close:

The conference season is in full swing, and our four upcoming events are all available to book just now.

  • Chartered IIA National Conference – 18-19 October
  • Wales Conference – 9 November
  • Scotland Conference – 1-2 December
  • Ireland Conference – Confirmed this week and will be advertised soon - 21st April

All have previously been a great success and offer the opportunity to reconnect in person across the profession. If you haven’t signed up already, please put the date in your diary and refer to our web pages for details. Also consider the conferences as an opportunity to reward team members who have excelled this year.

Thank you everyone and see you at the next session which is on 2nd November and will focus on Resilience.

Please visit our Events section for further details.

Questions/Chat box comments

Q: I think that anticipating what might be coming down the track is not the weakness. Organisations are not good at assessing the impact of the events. For example, the war in Ukraine has been on the cards for a number of years, but the world has been very slow at assessing what the impact of that might be. What would the impact be on wheat, the supply chain, the cost of living. It’s not just about the direct impact but the impact that can happen three or four steps down the line that could impact my organisation.

A:  That’s a great point. For example, I remember talking to my audit committee after the Patisserie Valerie incident – do we know what our FD is doing for example and the first response was ‘we don’t do coffee and cakes.’ Don’t get focussed on the sector – focus on the scenario. We need to think about whether we could be next and what could we do about it.

Comment: That is a great point. I’d like to say that for organisations that were impacted by COVID and the Russia/Ukraine situation, the situation is different. We have a crisis management working party (meets monthly) with representatives from the business, CISO, Audit and Risk. An annual presentation is also made to the AC.

Q: Very interesting thank you very much. I feel good about my risk assessment being comparable to what we just saw in the presentation, my question would be that for some topics of risk for 2023 in here, how do we convert these into an internal audit/internal audit plan? Like with the macroeconomic and geopolitical risk, perhaps they are not supposed to be converted into an audit but into remediation and making sure that process/business decision owners do take into consideration this and act upon (risk management plans)

A:  Good point. Perhaps the war in Ukraine and the pandemic, we did see signs it was coming. For example, with COVID, we saw it start out in the Far East and move across the globe – maybe we didn’t anticipate how devastating it was but we saw it moving. Likewise with the war in Ukraine, we could see the military preparations happening at the border, so there was a staggered approach we could watch and anticipate. Subject matter experts are saying that we won’t have that luxury with China and Taiwan – we’ll wake up in the morning and China will have taken Taiwan. When we’re thinking about BCPs, could we respond to an instantaneous impact on our organisation?  

Comment: I work in the financial services sector and the regulator is very active. They do a number of tasks to get UK banks ready for a number of expected events. One of the things they’ve been doing recently is a cyber stress test at an industry level. They have a scenario which builds and unravels over time and banks have to respond to that. They also have continuous meetings with senior executives across the bank to discuss these things. There have been regulations in recent years to consider, e.g. what do you do when a bank suddenly becomes insolvent, how do you resolve that so you don’t materially disrupt the UK financial infrastructure? There are also regulations around operational resilience coming in. All designed to make banks more resilient, which aids thinking across the organisation.