Local Authority Internal Audit Virtual Forum

29 September 2021


Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

CEO's welcome

Thank you for joining. Welcome to a special edition of the Local Authority Internal Audit Virtual Forum focused on the Chartered IIA’s Risk in Focus 2022 report.

Organisations and their internal audit functions face a dizzying pace of change and unprecedented uncertainty. The pandemic has destabilised operations and labour, disrupted supply and demand, and undermined previously sound business models to an extent few would have thought possible.

As a result, this year’s Risk in Focus report has once again found that the coronavirus pandemic has continued to transform the risk landscape and has significantly influenced organisation’s attitudes towards key risks.


Chair's opening comments

Welcome to our Local Authority Internal Audit Forum.

Whether you audit in the private sector or the public sector, the UK, Ireland or elsewhere, risk is our common currency. But this wasn’t always the case, as historically there have been instances with local authorities where their notion of risk equated to business continuity with fire, flooding and building evacuations being the main areas of concern. As auditors in local authorities, we have moved on significantly since then.

Our understanding of risks and particularly the risks faced by our councils is, of course, key to determining the work that we undertake and so the Risk in Focus report is an excellent resource for discussion with management in our organisations, particularly after the 18 months of the pandemic when challenges and the landscape has shifted.


Key takeaways

Liz Sandwith, Chief Professional Practice Adviser, Chartered IIA said:

Click here to access the presentation slides

  • The following five risks are all rising since 2020/21: Human capital, diversity and talent management; business continuity, crisis management and disasters response; climate change and environmental sustainability; organisational culture; and health & safety and security.
  • Responders to the survey indicated that they expect climate change to be an increasing risk as they look forward to 2025, along with digital disruption, new technology and AI.
  • The number one risk in the report - and it’s been the number one risk for the last four years - is cyber security and data security. 34% of Chief Audit Executives (CAEs) said this is their number one risk. Interestingly though the data has shown that we are not spending as much time on this risk as its risk priority would indicate we should.
  • Cyber criminals have exploited the move from office to home working and cyber security is set to be the perennial risk of the 21st Businesses have had to juggle competing priorities and operational disruption and have had to ensure that their operating devices and networks are secure.
  • You may find our recent report Mind the Gap: Cyber security risk is the new normal useful to have a look at.
  • Climate change and environmental sustainability has gone up the rankings significantly in terms of the priority of the risk. We will soon be issuing a report entitled ‘Internal audit on climate risk: a good sustainability guide for audit committees and directors’.
  • Following COP26, increased sustainability regulations are on the horizon, originating in the EU and UK governments.
  • The British Standards Institute are building climate change requirements into all their standards going forward. And upon reviewing current standards, they are including climate change requirements into these also.
  • Human capital, diversity and talent management – there is a lot of challenge in this space at the moment as organisations are struggling to recruit for vacancies. One recruitment firm has said that 46% of the workforce are actively looking for new jobs and that the reason for this is that over the past 18 months peoples’ priorities have shifted, including requirements for flexible working.
  • We will have a report coming out later this year ‘Corporate Culture through an EDI lens’.
  • Supply chain, end sourcing and ‘nth’ party risk – supply chain crisis can be impacted by other factors: worker shortages, changing regulations related to Brexit, and rising costs related to importing goods from China. Concerns are around changes in consumer demands, challenges in the airline industry, challenges in global shipping, the phenomenal increase in costs for transportation of goods and challenges around HGV drivers.
  • Rising inflation and the global tax clampdown – inflation, particularly when coupled with increasing energy costs and a rise in national insurance have a significant impact on people’s budgets and their discretionary spend and this creates a knock-on effect on sectors such as retail.
  • Pandemic response: from surviving to thriving – as we come out of the pandemic, what have organisations learned? Perhaps the ability to diversify? As internal auditors are we doing things differently e.g. shortened audit reports, shortened audit engagement, more focussed work, focussed on business-critical risks.
  • Fraud, bribery and criminal exploitation of disruption – a lot of the focus around fraud is on external fraud but the risk of internal fraud remains and potentially will increase.
  • The Chartered IIA has launched a fraud forum – contact Derek.Jamieson@iia.org.uk for more information.

Institute's closing comments

Internal audit is auditing amid rapid change

While the economic recovery is promising following the deepest global recession in living memory, businesses are contending with critical supply chain issues and inflation risks

Production costs have risen at a rate not seen for decades. Businesses are struggling to forecast demand for their products as virus infection rates and consumption continues to wax and wane. This uncertainty and disruption is being felt end-to-end through supply chain

Organisation that do not take immediate action regarding climate change face the genuine risk of extinction

The world has changed. Internal audit must change too.

 

Thank you for attending. As always, if you have any ideas or suggestions for what we might include in future agendas, please contact Liz Sandwith at liz.sandwith@iia.org.uk


Q&A

Q Regarding the amount of time spent on fraud - I think that there is maybe a traditional view of internal audit that we should be focused on fraud risks. Personally, I worry that a fear of fraud occurring could lead to question of where internal audit was. This, in turn, could lead to a disproportionate amount of time spent on fraud risk.

A Sometimes our stakeholders tend to go with some of the more obvious risks and look for assurance in those risks. But if the controls in a particular area are good and they mitigate the risks, then the same areas may not need to be audited time and time again. Risk in Focus 2022 is a useful report for understanding which risks need your time and attention, from an independent source i.e. the Chartered IIA.

Q Does anyone have any examples of Fraud risk assessments that they would be prepared to share? I'm having to start from scratch.

A If anyone has any examples that they are willing to share, please send them to us at Liz.Sandwith@iia.org.uk. We would also recommend raising them in our newly developed fraud forum.

Q Would members be willing to share suitably anonymised fraud incidents that they have been involved with? For example, values and outcomes eg criminal prosecutions

A It would be interesting to know if your organisation prosecutes in the case of internal fraud incidents.

Q Slide 5 - is it correct that IA - or some teams - are spending nearly 80% of their time on cyber security? I cannot imagine anyone in local government spending anywhere near that amount of time on this. Unless I have read the slide incorrectly?

A The slide shows how closely internal audit’s time, attention and resources are being matched to what CAEs consider to be the biggest risks to their organisations. There are numerous reasons why these differentials may exist and a direct correlation between risk priority and time spent auditing should not necessarily be expected.

Q How confident and skilled do we feel in auditing cyber risks - is there a skills gap?

A This is an area that we are not, as internal auditors, particularly familiar with. We are all still learning.  Do have a look at the cyber security report referenced above as it has some great suggestions.


Comments

  1. There's also a balance to be struck between proactive and reactive fraud work. Reactive work can consume a lot of time and that may be distorting the figures.
  2. Our counter fraud team also spend time on proactive data matches that can result in recoveries, eg when council tax discounts are claimed incorrectly.
  3. Analysing cyber security risks and controls seems to be reactive in nature despite organisations' best intentions. For instance, the recent cyber-attack on the Health Service Executive here in Ireland has prompted public sector organisations to sit up and take notice. Improving this area will be an expensive and lengthy process.