Heads of Internal Audit Virtual Forum

1 July 2020

Please note:

  • All Institute responses are boxed and highlighted blue.
  • Where the chair comments in that capacity this box is highlighted in yellow.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

This week we were joined by an audit committee chair to provide their personal perspective on the role of internal audit, its evolution over recent years and the journey ahead for the function in an exceptionally challenging environment. Joined by their head of internal audit who provided a perspective from the internal audit team. 

Audit committee chair perspective

Where we were

Going back thirteen years ago when I joined the organisation internal audit was hidden away. They emerged to perform a check on services then returned, never welcomed as it meant more work for services/departments. They were seen as a visitation and a single point of check and resolution – very old fashioned. After a refresh in the senior management team, the organisation decided that the structure needed to change bringing them more up to date. 

What we did 

We moved from an entirely in-house internal audit team to a co-sourced arrangement with head of internal audit part of the co-source arrangement. Bringing in an outside firm opened the organisations eyes as to what internal audit could be and used this new arrangement as a tool to improve the organisation. After some successful years of co-sourcing, with an emphasis on external provision, the organisation moved to a strengthened in-house internal audit function. The current head of internal audit has built up a very strong in-house team, therefore, radically reducing the out-sourced element. However, specialists are brought in for technical audits where we can’t justify holding that specialism within the team. 

Challenges 

One of the biggest challenges was the continuing suspicion of internal audit with the organisations staff who did not welcome a visit from internal audit. As the audit committee chair, I have worked with the head of internal audit to change this and move the perception of internal audit as something that is done to you, to something that you do with audit to find weaknesses and inefficiencies so that you can improve the service you offer and help deliver the service safely and effectively. 

In an organisation that has constantly been reorganising itself in response to funding reductions, completion of audit actions has not always been welcomed. However, internal audit is beginning to be appreciated as a tool that can be used to improve functions. 

The response to the COVID-19 is the first time I have seen the organisation move to emergency decision making. COVID-19 has meant moving to a situation where decisions were put into the hands of three people. Internal audit had a job to do to ensure that the decisions taken under emergency powers were recorded. I have had assurances and been working with internal audit to ensure this has been done. Whilst I have been kept informed, due to the pace of change and the adaptations taking place, it has not been possible to keep me, as audit committee chair up to date with every decision. Whilst we have been asked to undertake incredible challenges at pace, I expect there will be fallout, not least in our budgets. Hopefully, the areas that have underperformed will not create major problems down the line. But it is inconceivable that we won’t be picking up the pieces at a later date. 

The future 

We are getting through the emergency and beginning to plan for the future. What does that internal audit service look like? My hope is that the organisation recognises that it has moved considerably. It has not always made it easy for itself, but it has changed and adapted and proved that it can be agile in a way that it has never done before. 

Internal audit has been working closely with the senior management team, keeping the organisation safe and that is the message I want to see taken forward. Change can be safe, and change can deliver better, but you need to use the professional services within the organisation, internal audit, legal, finance at the beginning of the change to protect you.
 

Head of internal audit perspective

One word that encapsulates the journey for me since starting at this organisation is ’exhilarating’. It has been unlike anything I have ever experienced in terms of my audit career. It has been the most demanding, challenging, rewarding and at times frustrating role in my entire career. 

Challenges 

Politics - Some of the challenges and learnings have been quite amazing. The big part of the learning curve was understanding the politics. All the committees, all the members of the committees are all elected members. The audit committee chair has been particularly helpful with that. The Governance, Risk and Best Value committee is probably the least political committee, which I think is definitely a strength. The committee tries to ensure that they stick to the facts, scrutinise audit reports and hold directors, heads of service and employees accountable for the outcomes of the audit assurance work. 

Webcast - The committees are webcast live, to the public, providing an open and visible decision-making process. 

Training and resources - When I took up post, we had a co-source arrangement. As with everything, there were things that worked well and some that didn’t work so well. I found that the in-house internal audit team needed some development and investment in relation to methodology, new internal audit practices, tools, and techniques etc. There was a journey there to build the team. The team was under resourced in terms of the risk profile of the organisation and the level of assurance needed to deliver the annual internal audit opinion. This was supported by the Governance, Risk and Best Value committee. 

Culture – There was definitely a view of ‘you’re here to find me out’ and concerns about audit reports going to committee and being challenged by the politicians. We had to come up with a way of selling internal audit to them. Internal audit has been doing a lot of work across the organisation to change the culture, using simplistic language and help people understand risk and control and the three lines of defence, for example from a risk and control perspective talk about:

DO – STOP – SPOT - FIX

Doing directive controls
Stop preventative controls
Spot detective controls
Fix the action you take before a risk becomes an issue and you need to do something to address it

Also talk about the three lines of defence in a language that people understand rather than perhaps internal audit jargon:

DOERS – CHECKERS – HELPERS

The doers 1st line delivering the services, running the operational processes
The helpers 2nd line bringing into place all the frameworks, policies, guidance – all of the tools that help the ‘doers’ deliver the services
The checkers 3rd line (independent) such as internal audit, external audit and then we have a whole raft of regulators

That was part of the cultural shift to try and get buy-in in terms of understanding that audit is here to help. We describe ourselves as 'your safety net' and the message that we are trying to give there is that we are here to identify the problems and help you come up with solutions to remediate and fix them, before they get to maybe the inspectorate and you have a widely publicised report in the public domain. We are getting there, we have made a difference and are definitely progressing, getting buy-in and engagement from across the organisation, which has been hugely helpful. 

2019/20 Audit Plan – Completion of the 2019/2020 audit plan would have finished on 31 March 2020. We were close to completing the plan but had to take a pause and let the organisation implement its resilience response. We now have to complete the final audit reports to provide the annual internal opinion to the Governance, Risk and Best Value committee in August 2020. 

Internal audit team – working from home on an on-going basis since mid-March 2020; continuing to connect and engage as a team; the well-being of the team – understanding all the individual circumstances and challenges and making sure that they are all ok on an on-going basis. Undertaking audits remotely which has been interesting and challenging. We are now adapting to, what I am calling a new agile methodology – it is short form, short, sharp audits that we are doing around the design of the COVID-19 processes.  

Risk - Working very closely with the risk management team to ensure we have a good understanding of all of the new and emerging COVID-19 risks which presents a very different population of risks for the organisation. Understanding all the decisions the organisation has made in response to COVID-19 and the risks associated with those decisions. In particular those risks that will be there when decisions are reversed or we go back to some place in the middle in terms of business as usual - we are calling this the adaptation and renewal recovery programme – this will be a big piece of work understanding the risks and bring this together into a six month audit plan for the financial year 2020/2021. 

Where is internal audit now? 

During COVID-19 the organisation has incurred a lot more cost and suspended some income streams, so this is a challenge and a risk for the organisation. Part of the challenge is the uncertainty of how long we will have to continue. We have also had to implement a whole raft of new processes and amend a lot of existing processes very quickly, that is a concern, as well as the changes to the risk profile. In this resilience situation, there are all these new risks that, as head of internal audit I need to get a level of assurance on, but what is actually happening with the business as usual stuff? Are we taking our eye off one ball to focus on the resilience work? 

At the moment we are doing some short-term work around interim COVID-19 arrangements, some agile design audits across July - September, looking at those new COVID-19 processes, and processes that have been significantly changed. Looking at the shape of the audit plan for next year and the remainder of this year. 

One thing that is very clear is that the organisation has shifted incredibly and very quickly. We need to be able to provide a mix of assurance on these very big themes: COVID-19 and the new population of risks that it brings; beyond business as usual work – has anything been dropped? and the adaptation and renewal and recovery piece as well.

Relationship of the audit committee chair and the head of internal audit

Audit committee chair 

The first head of internal audit relationship was the very traditional officer/councillor formal relationship. The out-sourced head of internal audit, they knew everything about the organisation and were a huge source of information – they became my best friend. When the current head of internal was appointed I worked from the presumption that we would work together, and we were going to be friends. If the head of internal audit is in a good position then that helps me in my position because the more, I know, the more I can use internal audit to improve the organisation and drive some improvement. 

Institute's response

The comment in the chat box about the ‘friendship’ between the audit committee chair and head of internal audit is key for organisations, to enable topics to be progressed. Conversations I have had in the autumn last year and the beginning of this year with audit committee chairs is that there is not that level of engagement with heads of internal audit that there should be. I think the comments in the chat box about that being something we should all aspire to is key.

Supporting our audit committee chairs and working with them to ensure that we both collectively give the best for the organisation but have the ability to challenge each other is something that the Institute would really support.

The Institute’s initiative around supporting audit committees and audit committee members and chairs is certainly going to support that.


Impactful audits 

A number of years ago through the head of internal audit asking for input when preparing the internal audit plan, an area was identified that was not delivering on spending. An audit was undertaken on this area, a report produced, and improvements made. If we had not had the audit, issues would have been buried and we would not have seen improvements to the service. 

That for me, is the best example of how you use internal audit, as a chair of an audit committee or an elected representative involved in audit to effect change, that improves the spending of public money. Because of that audit the department was reformed, and that improvement plan is still on-going. It is change that I have affected and that’s one of the reasons why audit is really important for the organisation and for people you are elected to serve.

As a head of internal audit one of the most impactful audits I have undertaken is auditing drivers of heavy goods vehicles. Looking at their skills, capacity and qualifications and making recommendations to reduce the level of risk in the organisation, this followed an incident in another local authority where a council lorry was involved in the death of a member of the public.

Chair's comments

Several chat box comments have mentioned agile auditing. We will be picking up on Agile auditing as part of future forums. Over the past weeks of the forum we have described how we have become agile, agile of mind, how the mindset has changed. We have used internal audit methodology and processes as tools to become more agile, more responsive and adding more value as a result. An example was provided to me this week in relation to a new process put in place as a result of COVID-19. Through the action of real time assurance, internal audit found a fundamental problem in the process, stopped it, and saved £6m as a result of that real time, live assurance, driven by an agile mindset. Previously internal audit would have wanted to think about it, plan it, issue a scope and start an audit – this was done in a 2-day exercise. In reality the word agile is a mindset.

In the next few weeks, we are going to start talking about what agile means in reality, what’s the process, how do you apply it?

Finally, as today’s session draws to a close, I would like to thank you all for attending and for contributing to our discussion and a special thanks to our guest panellists.

This was the last in the current format for the forum.

Next week’s session will seek to consolidate the key messages from the session to date and will then move to propose the main themes for internal audit’s focus in the coming months which will in turn form the core elements of our agenda for the forum as it enters a new phase from 29 July. 

If you have any ideas and suggestions for the format or content of the forum going forward, please do share your thoughts with Liz Sandwith (liz.sandwith@iia.org.uk) or Derek Jamieson (derek.jamieson@iia.org.uk).

And of course, we will happily take further questions outside this forum as part of our ongoing approach to the COVID-19 crisis – so please do get in touch.


Chat box comments from attendees 

Has the concentration of emergency powers with three people helped the speed of decision-making or created more risk (key dependency, flow of information etc)?

  • From an internal audit perspective, it has been a mix of both - speedier decision making with key person dependency.

Love the idea of internal audit as a safety net, particularly during the pandemic.

I think it is really key as our guest panellists have said, to make that journey from a perception of audit being a scary thing inflicted on auditees to the understanding that internal audit is there to support. The simplified language is a great tip. In our organisation we also found framing useful. Are there any other techniques that you have found particularly useful in changing hearts and minds?

  • Yes - lots of hints and tips and happy to share more widely - I have some training slides etc. I can share.

A real challenge in providing real-time advice on design of new and amended processes and subsequent provision of assurance on the same.

  • Absolutely agree - our internal audit team has also been involved in providing real-time/consultancy advice on the design of the new Covid-19 processes.

I am not wholly au fait with the IIA qualification's core content in recent years - but 'agile' seems to almost now be a pre-requisite in some sort of meaningful way.

  • Agile is not really core to the CIA or QIAL IIA qualifications or their syllabi but it is indeed the flavour of the month. Everything seems to be agile these days and the word is everywhere...often slightly incorrectly in my opinion.
  • Wholly concur. I'm thinking scrums with internal audit involved (to the guest panellist point about "change can be safe when professional services are involved from the onset"), but yes - would be excellent to clarify.
  • Maybe one can bin the jargon but keep the principles!
  • Absolutely agree with that. If agile = timelier, client-focused, participative, high impact, insightful internal audit work then I'm in!
  • In our organisation we have used agile methodology for a few years to track audit progress, which has helped greatly in monitoring and managing delivery of the audit plan on a quarter by quarter basis.

In some areas many local authorities now have independent audit committee chairs rather than political ones. That can help with the political challenges you mentioned - is your organisation going down this route too?

A very powerful friendship – audit committee chair and head of internal audit. Something we should all aspire to.