Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Local Authority Internal Audit Virtual Forum

03 March 2023

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised
Institute welcome | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA UK and Ireland

Comprehensive risk-based planning enables the internal audit activity to properly align and focus its limited resources to produce insightful, proactive, and future-focused assurance and advice on the organisation’s most pressing issues. Yet today’s rapidly changing risk landscape demands that internal auditors assess risks more frequently than annually, perhaps even continuously. Risk-based internal audit plans therefore need to be dynamic and nimble. To achieve this some HIAs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling.”

Chair opening comments | Piyush Fatania, Head of Audit, Risk, Assurance and Insurance at Gloucestershire County Council and Chartered IIA Council member

For a long time, the annual risk-based internal plan has been dovetailed with the annual risk review - practical for the audit committee and section 151 officers. The nature of risks now means that this is no longer relevant. HIAs need to ask themselves if they are being too formulaic causing knee-jerk reactions to unplanned risks. And all this against a backdrop where our key audience can be reluctant to change. 

Click here for the slides.

  • We, as Heads of Internal Audit are the professionals, not the audit committee or management – we all need to be push back sometimes to lead the way
  • The IIA Standards and PSIAS have never required an “annual” plan
  • Proposed new Standards call for more flexibility, and that the plan should reflect the degree and frequency of change in the organisation and risk environment updated as frequently as every six months, quarterly, or even monthly

Challenges with annual plan

  • It is for internal audit’s benefit not the organisation (resource planning/target work)
  • Maps out and ties assurance to the annual opinion
  • Typically, a high degree of organisational uncertainty at the beginning
  • Over the year the plan falls out of alignment with risk priorities

Alternative approaches

  • Quarterly plan - better but still time boxed and takes time to create/present
  • Flexible plan - integrated in day-today activities, rather than a separate exercise

A flexible plan shifts internal audit behaviors in three key areas

  • Head Down vs Head Up

       Encourages being present, engaging monthly rather than once a year with regular (quarterly or even ongoing) risk         assessments rather than a once-a-year formal plan meeting.

  • Delivery vs Value

       Outcome, value focused rather than counting the number of audits produced.

  • Lengthy vs Short audit committee reports

       A detailed plan with outline scopes takes time to read, combined with annual review of charter and strategy.                 Shorter timely dialogue about audit work is more relevant.

Some questions for HIAs to think about

  • Are you following a traditional process rather than offering a better way?
  • Are you resistant to change?
  • Are you hanging onto something you’ve always done because it’s easier?
  • Are you afraid to be brave and challenge your audit committee?
  • And if you’re hard at work creating your plan, remember, it shouldn’t be that hard.​ 

Chair closing comments

There is a clear desire for change from internal auditors for a more flexible way of working as seen in new proposed Standards. A big barrier is moving on from the comfortable, dealing with inertia and the capacity of teams. It’s all too easy to get caught up in defining and measuring days rather than the value of the work undertaken.  

Institute close | Liz Sandwith, Chief Professional Practices Advisor, Chartered IIA

Our next session is 29th March 2023 when the topic is 2023 from an internal audit perspective. Join us for a conversation/debate on your priorities and innovations for this year.

Please read our insightful new thought leadership report – Navigating geopolitical risk

Dates for your diary 

  • 8th March| HIA Forum – Navigating geo-political uncertainty
  • 30th March| Chartered by Experience 14:00-15:00  |register here
  • 5th April| HIA Forum – Culture Post Covid

 

Chat comments including Q&A
Answers from speakers, anonymised comments from attendees

Comment | We have an annual plan. I have made suggestions to our audit committee to move towards a quarterly plan given the changing nature of risk, I have so far struggled to convince members of the benefits as an annual plan is something that has been in place for a long time. I will continue with the dialogue as we do have changes to the plan for emerging risks already.

Comment | Currently working to an agile/rolling plan, have certainty for a period of up to 3 months, a pipeline of work for a further 6 months. Report 5 or 6 times a year to Audit Committee - they are not entirely convinced yet, but I’m not going to waste my time planning for 15-18 months in advance.

Comment We previously had a yearly audit plan but found that some audits ran over from one year to the next owing to factors like a lack of resources. In recent years we have taken on a more limited programme in order to complete it within a calendar year and leave more scope for taking on additional audits as they arise. 

Comment | Now entering seventh year of not having a plan - comments –

  1. I still have a planning process - constantly horizon scanning and risk assessing (my planning paper to AC in March is 24 pages !!)
  2. The aim is to ensure coverage across the year incorporates 15 key control areas.  
  3. My senior auditors have assigned areas (Directorates) of responsibility and ascertain auditable areas / gain assurance via various means throughout the year.  
  4. Also incorporate other assurance providers.  
  5. The Audit Committee and Senior Leadership Team are signed up to our approach.  
  6. Performance management / KPIs are not so straightforward - Auditors negotiate the days they require for a piece of work with the audit manager  
  7. I firmly believe that it can fall to the culture of the Authority as to whether you can adopt a 'more' flexible approach to planning - some authorities will need a more 'defined' plan e.g. potentially those that have had 'public failings.'

Question | I provide a fully outsourced IA function of x days to a council and some KPIs are based on delivery of plan - in terms of cost and number of days and managing performance - will flexible planning work? or is this just a culture shift?

Answer | Yes it can work, discuss the KPIs, what’s an audit day – paid to deliver a service not the number of days for instance – need to break the whole methodology not just the plan – we’re the professionals not the Audit Committee or management – sometimes need to push back.

Comment | I think it is the balance of the period you plan ahead for and getting the approval for the plan so you are not seeking retrospective approval for changes too often.

Answer | In a more flexible approach it’s important to gain approval for the process not the plan itself (risk based, priority, resourced) – then the HIA needs to be trusted to deliver.

Comment | I use a flexible plan and have an agreed planning process shared with my audit committee. I am continually building up an assurance picture from audits and risk mitigation conversations my small team has ongoing with management. I always have a plan of the audits we want to do next but allow them to be gazumped if something higher priority comes along. Being flexible can have its flaws but generally we are welcomed starting engagements as it’s bought into across the council.

Comment | We do something similar using an assurance map.

Comment | The highest risk areas do not always have to be assured by internal audit, other assurance providers might be doing something relevant e.g., scrutiny, but we wouldn’t necessarily know that at start of year so end up duplicating activity without a more flexible plan.

Question | I’ve also have had some raised eyebrows from External Audit.... expecting to see an annual plan.

Answer | To be honest, it doesn’t matter what they think as they are not the experts. There is no requirement for annual plan. It’s up to internal audit to demonstrate the relevance of their work (planning approach) through process. Recommend you push back. There is also work for us to do with regulators too as they also want to see an annual or sometimes a three-year plan.

Comment | When I have asked my EA if they want to comment on my plan which I share with a view to coordinating work they always say it is not their place to comment. 

Question | My fear with totally flexible/rolling programme is that you end up firefighting all the time, and don't look at the some of the basics.

Answer | It’s about relentless prioritisation so as not to compromise what’s needed for your opinion. It’s okay to have a backlog of low priority requests/audits that never reach the top of pile. It’s not about reacting to a director’s whim today that they will have moved on from when you land the report.

Question We still have an annual plan. However, we include contingency time for new risks and take out audits with committee approval if no longer appropriate. We do carry out a fair number of unplanned assignments.

Answer | Annual plans typically include the ability to react to management requests but there can be an element of ‘perceived inconvenience’ to overcome – leaving contingency time is a good approach – but the behavioural mindset that goes with it is important. 

Question |How have you adapted the audit software you use to allow for more flexible approaches. Are there any new products on the market that are not geared to annual planning?

Answer | We use AuditBoard which has allowed integrated dashboards and rolling plans. Happy to discuss with anyone (David Hill).

Comment | Some still seem to be pushing for multi-year reoccurring cycles.

Comment| We use Galileo - provider has helped us adapt the software to fit our needs.

Question | I would like to know Rupert and David's thoughts on how much of the IA plan (as a percentage) should be IT audit?

Answer | Important to understand the organisations risks and also broader IT risks. Audit committee need to understand where all assurance is coming from across the three lines, it might be that there is a skill shortage in internal audit which impacts what can be done. Need to be honest and have the resource discussion.

Comment | As we have to buy in resource I agree with David - the ideal will probably be more than we can afford so it ends up being what we can resource.