Heads of Internal Audit Virtual Forum

6 May

Please note:

• All Institute responses are boxed and highlighted blue.
• Boxes where the interim CEO comments in that capacity highlight yellow.
• All delegate/attendee comments/statements/replies are un-highlighted and un-boxed.
• For confidentiality, the identities of all delegates/attendees are anonymised.

Chat box comments

Q1. Institute: Do you (HIA) have a clear view of where the value, in internal audit, it going to be, after COVID-19, and a road map that will raise the profile/bar of internal audit and enable it to add value to the organisation?

It is important I think to embed an understanding and appreciation that auditors never come without a reason - this would normally come from excellent alignment on risk appetite. What happened to that appetite during COVID-19?

It would be interesting to understand why contribute doesn't equal doing audits. 

For me in the short term it's about helping the business ensure that the good stuff, like greater agility, more remote working and the like stick and we don't fall back to old habits like travelling for all meetings and we hold the same mirror up to ourselves and our ways of working. Longer term it is about the audit universe and where the greatest risks are.

I sense some audit committees and CEOs may want more of a back to basics campaign - recognising other sources of assurances may be hampered (eg disbanding of 2LoD assurance work). Whilst the trusted advice aspiration is noble and I’m keen to do it, do others anticipate coming under pressure to focus on the basics - giving assurance that core controls are happening as they should?

I wholeheartedly agree with the Panellist and the Institute’s sentiments...it is vital for us to step up and demonstrate real added value to our key stakeholders. How we do this this will vary from organisation to organisation - and not just talk about it...

That is the very reason for which we instituted monthly reviews of critical processes and controls. We want to automate it as much as we can now, to make sure it doesn't take a lot of bandwidth and enables us to support bigger cases.

I agree with the sentiment expressed. Balance of assurance over emerging risks and existing risks that have increased because of the current situation whilst also balancing providing risks/control input to revised/new processes will be an ongoing balancing act.

Q2. Institute: What role should building/re-building internal audit have in helping you (HIA) accelerate your ability to provide assurance around new and emerging risks whilst not forgetting existing business critical risks eg cybersecurity.

Good point re desktops. Also, it will be laptops with cameras - some of my team currently have laptops, without cameras, as they were cheaper.

Change management policy and processes are definitely at the heart of the new assurance plan.

We need to ensure that business resilience measures are built into risk registers - not merely looking at current controls.

This is our opportunity to show the value we can add - keeping in touch with the response and recovery plan at top level of the organisation is key. Identify proactively where we can provide support.

Auditing in the future is a good concept...looking at current controls but also resilience too - perhaps an objective view of this in terms of staffing, IT, stocks/inventory of key assets, process resilience for remote working etc.

One point I am conscious of is starting the audit plan from a blank sheet. Areas where I was historically very comfortable in terms of the robustness of their control environment will need a re-look to see if things have changed. My prior audit results and historic data will be a much smaller influence on future priorities than it was previously. 

Q3. Institute: How can you (HIA) lock in the benefits of a more agile operating model to increase value add, coverage and level of assurance provided to the business?

I'm pleased you’re conducting audit work in an agile way without the need for tiresome and painful jargon.

I share the panellist’s concern re how we give assurance on critical life and limb processes – it is a real challenge for us at present. I completely echo the challenges re PPE too!

In a public health utility - the offer of help from internal audit to support front-line emergency really has been welcome.

Q4. Institute: How should you (HIA) rethink your talent strategy so that you (HIA) have the people you need when the recovery starts eg expertise around new risks, ability to understand lessons learnt models etc.?

Totally agree!!

Fair point - assurance in the old world may now be out of date!!

Attendee comments, questions and actions

We have five questions that we will be discussing today, and putting to our two guest panellists, each panellist will take two questions each, the final question, will be answered by the Institute’s Interim CEO.

Q1.     Do you (HIA) have a clear view of where the value, in internal audit, is going to be, after COVID-19, and a road map that will raise the profile/bar of internal audit and enable it to add value to the organisation?

Guest panellist 1

The answer to your first question, do I have a clear view, the short answer is no I don’t but I’m sure you will want me to elaborate on that. I have to say, I have more clarity in some areas than in others and equally I must admit over the last six weeks I have changed my views on what the future might hold and what it doesn’t hold.

So if I may, I might break it into three sections, the immediate issues that face me, the ones that I think will face me over the next year and then maybe a more strategic future outlook on how we can add value after COVID-19 and indeed do I have a road map.

I suppose the first thing that immediately I am very conscious is that in our unit we carried out audits of BCP (business continuity planning) and cyber security in the last six months and of course I was very curious to see how those audits coped with the possibility of COVID-19 that I never imagined would come along. I have to say that, at this point, there is a difference between unprecedented and unimaginable. I think we’re all beginning to see the difference between those two words very clearly, I’m having to cope with both in my ‘mother’ department and the ‘sister’ department that I also audit; how are the internal controls at the moment coping with emergency purchases, emergency procurement which, by definition has broken a few rules already and I am conscious of that.

People in private sector companies will be more familiar with supply chain issues which really don’t hamper me so much in a public sector department. I am unclear at the moment as to how, or if we have the technology to support remote audit working in the future. They are my immediate thoughts. Over the next year, which you might call the start of the road map, I have certainly come to the conclusion that we should focus on proactive reviews that will provide more advice and consultancy or equally as much advice and consultancy as it does assurance. I think that we need very carefully to make sure that we are seen to contribute to business not to inhibit business, and I think that is a big big danger. I think that people could look on an internal auditor coming in, maybe in a months’ time, and “saying do you not think we have enough to do without having you in here as well?”, so I think that is a risk.

I think our main jobs in the next month or two could be gap analyses on BCP, gap analyses on crisis management and of course thinking about our future in the unit around travel, on-site audits and e-Tec options for audit.

Finally, from a future strategic point of view and I apologise for using the term ‘new normal’ I think the first thing every organisation will be doing will be re-evaluating what is on the risk register. I know that people are saying there are emerging risks, I don’t think so much that they are emerging risks, it is just that the risks that are always there have turned out to be unprecedented and unimaginable which is a big difference, in other words we’ve all done BCP, we’ve all done cyber security audits but we never every thought that they could last for more than a week or a few days and that’s the place we are now. So, I think we will have to re-evaluate and re-prioritise risks, including those ones that are changing, if you want to use the word ‘emerging’. I don’t think that the risk registers as they stood two months ago really could forecast the source of the risks that have now come to fruition. I think, as I have said already, we will be increasingly more the ‘business adviser’, rather than a pathologist, going back and saying where we went wrong. I think we need to have in the internal audit space a more critical review of risk prioritisation.

They are my general thoughts at the moment. Just as an anecdote, we were in the course of what we felt, was a very proactive audit review in our unit in the last three months, which was a review of culture. We literally got the interim report from our consultants on 15 March 2020. Now I wonder, a review of culture, when we were all sitting in offices, when we could walk up the corridor, it's almost as if we need to start again. So, that’s an interesting problem for me to re-energise this review and to try and work out will it have the same essence.

Guest panellist 1

It does depend hugely on the maturity of the internal audit unit and the maturity of the organisation in which you are faced. I see one of the participants today who carried out an EQA on our unit and they know that maybe five years ago we were not in the position to offer advice as much as we think we are now. Just an observation.

Q2.     What role should building/re-building internal audit have in helping you (HIA) accelerate your ability to provide assurance around new and emerging risks whilst not forgetting existing business critical risks eg cybersecurity?

Guest panellist 1

I was starting my new four-year internal audit strategy in December 2019 and indeed it is going to change an awful lot now because of the new or severity of these new risks. The principles around the changes that I will be making I think are around flexibility – flexibility of our staff, flexibility of the way we carry out audits and how possible that is.

This may not be our last pandemic or certainly our last unprecedented surprise so I think in our unit particularly, we have tried to formalise communication a lot more than it was before, when I could just walk down the corridor. We have regular meetings now, on a weekly basis, in fact more than weekly. We are checking in on each member of staff, it is not just from an audit issues point of view, but also a health and wellbeing point of view; are they coping with sitting in a room at home, perhaps particularly if they have children or other needs that they have to look after. So, more formalised communication I think within the unit, with risk managers, with peers in the organisation and that’s all done by way of these telecommunication links we have now. We have peer groups in our organisation and other informal fora, and we are doing it much more often now than we did in the past.

I think that the health and wellbeing of the team is going to be a major issue to try and work out the technology that we are going to use in the future. I can see for instance that the future sales of desktop PCs is going to plummet and that sales of laptops will increase. Who will want to have a PC sitting on a desk, in an office you never visit or that you are not likely to visit very often? So not so much the new emerging but the severity.

The old risks won’t go away, there’s no doubt about that, but I think we will look hard at how we prioritise them and put them in context against what has now turned out to be far more serious areas.

So, to finish, what would be my focus – continue with BCP and that could be for instance, as I said earlier a gap analysis around how BCP has worked so far, I think telecommunications. I have no doubt that in a years’ time Zoom will be a far better tool than it is now and I think we all need to be ready for that and ready to use it.

I have already re-deployed five of my staff who are going to carry out ‘contact tracing’. So, I am losing some staff and I must admit I am not losing as much of the audit requirement as I thought I would lose six weeks ago. I thought that six weeks ago management would come to me and say, “listen we really don’t want to see you for a couple of months.” In fact, they have been quite eager to bring us on board and to keep audits going, particularly in one of our departments, perhaps more so than the other. So, I need to look at re-deployment of staff but look at it on a short-term and a long-term basis.

Finally, the other thing that struck me was that in a crisis I think practice comes ahead of policy, in other words, there are changes to business processes that run ahead of policy, that run ahead of governance. I think we are going to be doing a lot of catching up in the next two months in the terms of the practices that we have justified because of the crisis, and catching up in terms of putting in processes and polarising those processes. Again, at the risk of repeating, my message would be contribute don’t inhibit, give timely advice and let’s look at how we prioritise our risks again.

The point I raised is around the importance now of change management in the organisation and really picking up on what your guest panellist said earlier around the fact that, coming to my table at the moment is a huge amount of new processes. It is fantastic that we have been asked to get involved in it, but you know, that is shaped across the three lines of defence and ensuring that it goes up through the proper governance structures at this time is important, because we could be in line for a huge mess on the fireside. I think that if we can have conversations around the importance of change management and consulting with the right people across the three lines of defence. I think at this point it will be very valuable in, I suppose, preventing that mess on the fireside. 

Guest panellist 1

We are all aware of the anecdotes to support that. Our organisation has purchased PPE and other items, broken every procurement rule in the book and indeed aren’t quite sure where some of where the money has gone. So, when we do our postmortems, in as such as they are helpful, these are going to be issues to be faced afterwards and the whole supply chain area, in other words, so that we are prepared for this in the future, so we don’t have to be doing emergency procurement, will be a lesson learnt - with hindsight it is easy to say that.
 

One of the organisations I was with, one of the phrases that was used a lot was ‘no regrets’. When you are in a middle of a crisis, especially when it is a humanitarian one, sometimes you really have just got to push the boat out, you have to do everything you can, but you try and do it in as a controlled manner as possible. I do think that is actually where the lesson learning from this will be really good, because you’re not necessarily learning lessons about how you make decisions in the future, coronavirus pandemics, you’re learning for any unexpected circumstance that hits you.

I’d also like to make another point, that, I think reflects what has already been said, I do think that internal audit has an incredible potential to challenge the business not to just go back to what it was doing before. I know that is going to be an issue for my organisation. It is very easy to just say, “oh well we just pick up where we left off in the middle of March.” But no, we have shown that we can do things differently, we’ve shown that that can have a good effect and lets hold onto the good things about the new world, while we’re trying to fix the things that we would rather not have happened. I guess it is the opportunities as well as the downside risks. 

Q3.     How can you (HIA) lock in the benefits of a more agile operating model to increase value add, coverage and level of assurance provided to the business?

Guest panellist 2

I should start by explaining I am one of two auditors; we are the classic small audit shop, we have some projects delivered by a co-sourced partner and we occasionally engage specialist contractors on an ad-hoc basis.

Our small size has essentially meant that I suppose, agile has always been innate in the way that we work. We don’t apply a framework of huddles and scrums routinely, we have contact with each other, sometimes daily with our co-source partner, depending on the project that we are working on. Like many organisations in our sector the goal posts move, none more so than at the moment and the priorities and objectives that we have to adapt to and that means we have to move on the scope and the objectives to ensure the value from our work and if that is necessary, we will do it.

We have a mechanism to reach out to the audit and risk committee at short notice if this needs to be done, if there is a material change to any of our plans. So, all the time we are looking at being agile and I suppose, I keep changing my mind about this, the pandemic has seen us follow guidance by the HSE (Health and Safety Executive) to ensure the safety of the people in our services as well as our colleagues, and our focus as an organisation is on maintaining the services to the people in their private homes, in our residential settings. Many of those service users also have complex underlying health conditions, so they are of considerable risk from COVID-19 and, as a result, everything that the organisation does is focused on that and we have had to adapt an awful lot around holding back from audit work that would impact on people providing critical services.

Also, on the other side we have had to contribute with help around policies and procedures. Circumstances have arisen in the last couple of months that have required us to review those and that is where, as internal audit, reviewing those policies and procedures we are acting in an advisory role. To a certain extent it is probably going a little bit beyond just advisory and we are having to be a bit more forthright at times, to make sure that we are giving people the tools to support the people in our services but also to protect the organisation.

As far as internal audit being agile our general approach so far has been to review the plan, I think this is going to be common to many of you, reviewed the plan for this year, rescheduled audits. In the early days I had my colleague reviewing the audit manual and updating the processes. Another interesting little piece of work that has come to us in ‘standby’, is delivering PPE to our services. That is simply if we need bodies on the ground to get PPE purchased and maybe needing to get it up/down the country, wherever it may be, we are on standby to do that. It comes back to the issue of what are the priorities for each individual organisation or the sector you are in and something as simple as that could ultimately be a matter of life or death and we are trying to adapt to that.

Another area that has come from this, like many care providers we are having a tight staffing situation, whether that is down to self-isolation, general illness, or childcare problems for some of our colleagues. We are having to recruit quite quickly, so again, an area we have tried to look at is trying to provide assurance around the employee background checks, the vetting, the induction training. We had already moved to an online induction training which has been quite helpful in this situation, but again, it is adapting to what we see as the priorities in the organisation and trying to support those, being at times advisory and others just being an extra pair of hands to keep the show on the road.

Overall, whilst I think we are a small, agile team, we still look to be adaptive and flexible, locking in the use of virtual meetings – for us it is Microsoft Teams. We are going to further develop that understanding and the trust of the ICT team, which was always been okay, but actually, in the last couple of months it has really strengthened. I suppose internal audit has been seen as the supportive voice of the initiatives that they are taking, so we would like to build on that further and for me personally, it is to re-emphasise that after the pandemic, we are a source of advice and in-house consultancy; when all the dust has settled on this and we can be approached around the re-building whatever the ‘new normal’ is.

Guest panellist 2

At the start of all of this, one of the first things we agreed with our audit and risk committee was that in principal, they were agreeing to us doing non-audit work, but the mechanism was, that I would reach out to the chair as a request comes in and we will get the yes or no literally within the hour, that’s the agreement that we came to.
 

Q4.     How should you (HIA) rethink your talent strategy so that you (HIA) have the people you need when the recovery starts e.g. expertise around new risks, ability to understand lessons learnt models etc.? 

Guest panellist 2

As I said a few minutes ago, being a small team with some co-source partners, I think the resources we use, I don’t expect to change, but the mix of those resources may well change and that is going to be depending on any new strategies that arise from this, being led by the board, what will change from our own risk assessment within internal audit and it is trying to balance that altogether. That is the difference for me, the area I have been thinking about over the last few weeks is also where we may have to second-in some in-house expertise, whether that be in health and social care or our learning and employability divisions. We might also need to place more reliance on the second line of defence, particularly quality and risk management functions, but that is an area I need to explore a little bit more and discuss with the audit and risk committee to make sure they are comfortable with that.

Another interesting element of our organisation is that we also have a division that is a social enterprise and the whole mission is to try and create employment for people with disabilities of varying types. There are different operations around the country, some are more like a cottage industry, others with specific key skills provides support to multi nationals in particular areas. But one of our operations was on the news only a couple of weeks ago because they actually make PPE. Traditionally they would import material and their customers would normally be painting and decorating contractors, maybe the cleaning/laboratory type suits that are needed. As you can imagine the number of orders received over the last few weeks and they are trying to up-scale. An interesting thing for me is, we are having to think, do we have the necessary skills or depth of skills to support them in an increased scaled up manufacturing setting, which is different to what we had been used to for the last number of years. So, this is something I will be looking at to try and get some training for myself and my colleague and in the immediate short term it is probably going to be contracting an individual, that I know that comes from that background and could lead a particular project. It is almost the traditional risks for us there, those risk exposures are increasing and that is everything from stock supplies to having appropriate credit controls, the actual stock management itself, the amount of capital that we are tying up, so in many ways it is a classic audit risk, but it is a bit of a departure for us, because this is one part of the organisation and it is taking prominence over other areas in the last few weeks. So, just an example of how something can change so quickly. 

Q5.     What investments are the most necessary to create the technology environment that will allow the organisation and internal audit to thrive in the next normal/future, have you prepared your business case?