Heads of Internal Audit Virtual Forum | Key takeaways

15 April


Please note:

  • All Institute responses are boxed and highlighted in blue.
  • All delegate/attendee comments/statements/replies are un-highlighted and un-boxed.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

Chat box content

1. In some cases, internal audit is now performing the role of Compliance, Risk or other assurance provider. This will inevitably provide deep insight on the effectiveness of the policies and processes in these areas, albeit whilst operating in exceptional circumstances. Should identified weaknesses be reported and if so, how?

On weaknesses, it makes sense to report weaknesses/exceptions identified by crisis assurance to the management immediately (by agreement with them). These exceptions can be dispositioned into:

A.) Expected (i.e. result of planned control degradation/suspension due to emergency operations).

B.) Unexpected (i.e. potentially result of unknown process failure that was exposed during the outbreak).

There is also a plan to conduct an ‘after action review’ where management have a chance to address the issues in a more structured manner and make improvements in business continuity/disaster recovery plans.

I think we need to prioritise, but it is our role, I wouldn't share everything at once, less material issues can be ‘parked’ until the time is right.

I would be interested in examples as to what roles internal audit performs specifically as first or second line?

I'd certainly want to hear about any concerns/issues/risks from my team. I would then probably consider on a case by case basis what to do about these concerns...how and when to raise an issue is key. The timing, method and communication medium are everything.

Actually, the IIA released years ago, a role guidance in terms of risk management. It could help us to draft the path to follow to provide support to the management. But in terms of compliance, it seems that we could provide some assurance on certain key controls and policies.

Internal audit will always need to call things out where there are issues; in this situation it's really going to be how you go about that and being proportionate. Informal approaches that still result in change might be most welcome especially for observations made outside of an audit.

So, agreeing with the comments, reporting but maybe in a relationship preserving way unless a big issue.

I think it is key to ensure that the mandate for internal audit’s engagement with the 1st or 2nd line should be clear and approved by the audit and risk committee.

It is not delay per se, but some activities may run in parallel.

Timelines need to reflect the logistics of the reviews and agility available to the team. However, the standards and requirements should be relatively agnostic of business continuity management and working environments.

We need to do 'enough' to assure ourselves that our opinions and broader assurance continue to be effective.

it is also about adding value to the organisation, part of the three lines of assurance model.

The Institute's primary guidance in a COVID world is asking the business ‘how can we help’. That - in and of itself - puts our interface with the two lines of defence in much sharper relief. So, the challenge herein is inescapable and must be met.

Agree with the above, good point, well made.

100% agree with last two calls we have adopted the same approach.

Agree - and internal audit are individuals with a strong knowledge of the whole organisation, of the big picture and of risk management. So, internal audit can be really valuable to organisations perhaps now more than ever.

Potential opportunity to work with finance teams rather than pure independent audit.

2. We have an audit of business and financial planning process in the schedule and the audit committee have asked for this to be brought forward as they are concerned about the robustness of the process at this time of crisis. How do you audit business and financial planning processes in an environment where there is little if any credible source of market related information, potentially gaps in the skills available in the business and where some of the core inputs to the planning process have been eroded?

It sounds like the audit committee/board already know there are issues, are they asking internal audit to validate their view or something else?

3. Given the impact of the current crisis would it be appropriate to allow an EQA to be delayed beyond the five-year cycle?

Are some of our Standards less important than others?

We have already agreed with the audit committee to push ours out with the introduction of the new Code, we will do an internal quality assessment first to ensure alignment with the Code and then an external quality assessment (EQA).

I would expect/like to see in-house functions providing a firm ‘lessons learned’ through the period as we would with the wider business continuity management review.

I think for us it is about getting the most value out of the EQA as well. Right now, I think it would tell us what we know we're compromising as a result of situation.

We are due an EQA in May 2020. 

Communications essential with audit committees on any audit activity.

4. Internal audit and cutbacks

I would be very worried that internal audit is seen as disposable during cutbacks...as cases of fraud increase significantly during tough times, disbanding internal audit will increase risks significantly to the organisation

Agree with the above - I've a heard of a lot of charity internal auditors being furloughed which is concerning. As I think internal audit can be really valuable in their input right now and organisations are more at risk not having internal audit’s insight.

I think there are two types of organisation (broadly) that are furloughing internal audit staff. Those organisations where cashflow is significantly reduced and the whole organisation is facing a critical point in its existence, and the second where the overall culture of the organisation is not aligned to the involvement of internal audit and internal audit are seen only as a cost centre.

5. General feedback on the session

Thank you, all. Much appreciated

Thank you.

Thank you all (x2)

Thank you all, another excellent discussion

Thanks for the updates, very useful

To prioritise the discussion, participants were asked to complete a quick poll on four questions and based on this the questions were ranked and discussed in order of preferences.


Attendee comments, questions and actions

1. In some cases, internal is now performing the role of Compliance, Risk or other assurance provider. This will inevitably provide deep insight on the effectiveness of the policies and processes in these areas, albeit whilst operating in exceptional circumstances. Should identified weaknesses be reported and if so, how?

Institute’s response

It’s potentially a very interesting question, as logic would say absolutely, internal audit should call out when they identify weaknesses in processes, policies, etc. But it could also, if not handled carefully or sensitively cause reputational damage to internal audit. Because the business might say, hang on a minute, you were supporting us, helping us, working first line and now, just because you’ve found something that perhaps, you wouldn’t normally have found, you’re now calling us out and reporting weaknesses in processes, controls, etc. It could be seen that internal audit is again becoming known as the policeman, not at all what we wanted. I think it is about how we deal with this and how we address anything that we find appropriately and sensitively. Raise it with the business, raise it with the area in which internal audit is working currently and agree a way forward to identify the weaknesses identified.

We have been asked to put our resource into other areas so that their audit skills can be used in these areas and my view is that we have a responsibility to call out anything we see that is not strong enough, or robust enough, because that is our role. I think it is how you do it and who you do it with that matters. I would be really uncomfortable if my staff were seeing things that they weren’t comfortable with and weren’t at least raising it with me and discussing it with me. There are some things that we can put aside and address once this is all over and life gets back to normal and the controls we would want to see. Others will be key controls that we would feel would really have to be in place now. Our view is that if there ever is a time that you need to make sure that your controls and your risk management and your governance is robust is now, during the crisis we are in.

In the event that issues are identified, would this include reporting up to audit committee potentially?

One of the arrangements we have in Government is that I have regular contact with a range of groups outside the cycle of the audit committee but within those groups there is the whole of the members of the audit committee, so by definition the audit committee members would get to hear about it. But I think they would want to hear about it on a more real time basis rather than waiting for an audit committee to come around every three months. I am fortunate that I have a good relationship with these groups and the chair of the audit committee, so there is nothing to stop me from picking up the phone to any of them and having a discussion with them and seeking advice and guidance on that too.

I agree, I think if you are actually finding something and we’re actually doing it at the moment, we’re working for one of our partners in the district council world whereby we are supporting the business grants pay-outs. Whilst we have to pay out quickly to keep the economy buoyant and making sure our suppliers businesses are kept buoyant, we still need to look at what they are doing and make sure that we’re not sending out millions of pounds without any checks at all. I’m not saying that our officers want to do that, some of them want to get it out quickly, where there is a little bit of a temper to say actually, we do need to think about fraud risks, perhaps you should put some disclaimers on these grant claim forms that you putting out, perhaps we need to be doing X, Y and Z. Most of the time they do listen, and will do it, but again, as in the previous comments, we have a very good working relationship with our senior management and our audit committee chairs. We do have a lot of dialogue and we do discuss things and talk about the most appropriate way of reporting. We’re not hiding things, that’s not what we are here to do, it’s actually presenting them in a positive way that we’re moving forward. Having a risk isn’t a problem for them, it’s giving us an opportunity to improve. So, it is about that communication and dialogue and we are reporting it and do report things but in the most appropriate way I feel.

Institute’s response

I absolutely agree with what was just said and there is a comment in the group chat. I wasn’t in anyway suggesting or implying that we keep things hidden. What I was suggesting is that we are there supporting the organisation currently and I think that it is about communication, it is about understanding the significance of the risk or the weakness identified rather than being seen to be reporting things and therefore potentially damaging relationships that have been built up over a period of time. I just think that we have to get the timing and the communication right.

I agree, I don’t think it is whether, I think it is a how and actually I would imagine there will be an awful lot of managers who would value having the perspective of an auditor sitting alongside them with some of the things they are doing or being involved in doing it. I thoroughly endorse that we have to be very careful about our longer-term relationships.

2. In order to improve agility is it appropriate to remove, reduce or delay internal audit policy or procedural requirements during the crisis?  e.g. Quality assurance activities outside the cycle of individual audits, level of peer review or prescribed timelines for staff reviews.

Institute’s response

This is very much part of the here and now, but also looking to the future. We need to think about our agility as an internal audit function moving into a new world. One of the things we have been talking about is looking forward to coming out of the lock down and the new ‘norm’ as we move into hopefully the rest of summer and I think that we need to think about how this all sits together and how we re-imagine what internal audit might look like moving forward. That could well be reduction in internal audit teams because organisations will have reduced in size because of the challenge. I think things like performance appraisals, like quality assurance reviews, if they can and are done internally within the internal audit function then yes, they should be. Again, it is about balance. I do not think there’s ‘one size fits all’ at the moment.

A lot of my clients, I work in practice and I see a lot of clients in the financial sector, they are now moving to effectively what they are calling a temporary ‘business as usual’. They are embracing everyone working from home. Those that know the industry will know that the idea of not being in the office is quite radically different for a lot of people. But in moving away from the office and having in-house and partner and co-source internal audit functions, we’re not seeing that sort of involvement in the 1st and 2nd line operation and we’re still seeing that involvement as a 3rd line, as a 3rd line maintaining the Standards, maintaining the policies and procedures we had to begin with. Yes, of course some of the timelines have changed, yes of course we need to be agile and sensitive to how the business is operating and yes of course there could be reduction or expansion depending upon how we come out of this. A lot of those clients looking at working from home as almost being business as usual, or at least being a temporary business as usual and they’re expecting internal audit functions to be able to step up to the plate, to continue to deliver that internal audit function in this business as usual environment. So, yes, the environment has changed but all the practices, policies, standards and procedures that the industry and the profession have promoted should be able to stand the test of time. There will of course be a period when we want to reflect on this as a profession and say ok, well what part of the Standards do need to flex, what part of the IPPF need to flex, what do we need to talk about in terms of quality assurance, but all of those things are the things that give us the strength in our profession and that’s why the business come to us, because we know, that they know, that we provide those agnostic of what we are looking at, agnostic of where we are in the world, agnostic of whether we are doing a desk based review or seeing people face-to-face – we apply those Standards and that is what gives the business confidence in how we are operating. There can be a load of flux in the rest of the operations of the business and we need to be agile in how we stick to those Standards, but I think, my view is certainly that we don’t reduce anything that could be seen as taking away the quality and value that is provided.

In the first week of this forum, in the notes, we listed some principles that might apply throughout the course of the crisis and one of the principles was be ‘agile’. Another was remember the IPPF it is there to help, it is not a mandatory A to Z of what you must do, it is a framework within which you can work. It is the framework for working within that gives us the ability to be agile but still deliver quality of work.

Institute’s response

I agree, the IPPF is principles based not rules based so it is not ‘thou shalt’, it is ‘have you thought’ ‘could you do this, this way’ or could you think of how you need to embrace the spirit of it. So, I agree with both the previous two comments – it is a framework and a framework that we need to maintain in terms of delivering the quality of our product.

The most agile thing that we have had to do is effectively balancing a re-plan so that we are providing assurance on new and emerging risks that the institution is facing and being able to supply some staff to some of the areas of a bank which are under the biggest bits of strain at the moment. We haven’t done things like reduce the amount of quality control work that the quality control team are doing. We’ve allowed people a one-month delay in their latest staff review or catch-up and that is simply because people were transitioning to working from home. That’s the sort of things we have been focused on, but it has been around far more, the plan doing a completely brand-new type of opinion and we’re now walking those things around.

I am just going to relate to a call that I had earlier on today on a similar subject. The organisation I am talking about is in danger of going completely insolvent in the next couple of months. Money will run out, they cannot genuinely afford to have an internal audit team anymore, it is not seen as essential in the sector, it is not essential in their mindset just now and the cost of that, in their mind is that it is absolutely discretionary.

But the point is they have actually approached a couple of people from that team and said: ‘how can you help?’ you are deemed to be good people, we value the input, we just can’t have it as part of the audit team just now – the audit team effectively does not exist, how can you help out elsewhere? I do agree, in terms of the role that audit can play here, it has lots of skills, it’s got a broad brush of experience and can certainly help out.

 

I was on a call with some colleagues in America and one of the things they were saying was that their head of internal audit had stopped doing everything that they were doing at the moment. They got the team together and got the team to think about the real risks facing the organisation. Then split them up into teams and sent them away to look at things and how and why the organisation might make changes moving forward.

One of the things that they came back with was that they’d identified a country, where they were poor payers, they were very slow, had to chase. What they said was that in a COVID-19 world they are probably going to be even slower; so they recommended that they stop dealing with customers in that particular country in the short term to keep revenue coming in and deal with customers in countries that were prompt payers.

Their CFO said, this is great, this is internal audit adding value in a whole new way to the organisation. So maybe that is an indication of something that we could all do, look at cost reduction, look at suppliers, look at customers and see how we can help shape the organisation as it moves forward.

 

3. We have an audit of business and financial planning process in the schedule and the audit committee have asked for this to be brought forward as they are concerned about the robustness of the process at this time of crisis. How do you audit business and financial planning processes in an environment where there is little if any credible source of market related information, potentially gaps in the skills available in the business and where some of the core inputs to the planning process have been eroded?

Institute’s response

Absolutely agree, it is a challenge where these things are not available, then we need to think about what other options have we got, where else can we go to for sources of information and how reliable might other sources of information be. I think we need to reflect the current environment, we need to think about the changing world we are in on a week-by-week basis and perhaps talk again to our audit committee as to what exactly they are looking for, how can we do it differently, how can we think outside the box and what have management got to say at the moment. I think this is a real communication issue and real understanding about what is expected and wanted.

Not to contradict at all what has been said. In reality, look at economic indicators, which at the moment are all over the place, all negative obviously, short, medium and longer term. Using the current financial planning models which don’t work in this scenario and they probably have a skills gap as well at the moment.

We are very fortunate, I have just come off a call where we had the bank’s economist speaking to us, so we actually had the ability to have a house view on certain things, but I think in everything we are doing, given the fact that there is so much uncertainty for any planning to be done on a sole single access or single set of assumptions, that I think needs to be avoided, and people need to effectively have a series of scenarios ranging from what is reasonable to what is very much a downside and probably the likelihood is that you will end up somewhere between the two. You have got to use those as almost guard rails for your planning. It does make things quite difficult because clearly from that, that is going to have a large number of impacts on your financial statements with things from goodwill to value in use etc. There are a lot of financial consequences and therefore, doing that properly and thoroughly is something that a lot of finance teams are going to be stretched over in the short term.

The reason I asked for the response from the above participant, is that in much much larger organisations than most here, not all certainly, is that I knew you had in-house economists, that’s the ability to actually resource internally, externally not the case. This organisation I am talking about is not getting reliable information, so you have to go to scenario planning there because there’s nothing else that you can rely on that is concrete just now - the concrete has just gone, it’s  fluid now.

4. Given the impact of the current crisis would it be appropriate to allow an EQA to be delayed beyond the five-year cycle?

Institute’s response

Yes, I think we have got to be pragmatic at the moment. The likelihood of you as internal auditors, as heads of internal audit wanting an EQA immediately you get back in the office is slim. I think reality has got to come into play here in that it says five years, some internal audit functions have EQA’s more frequently and I think that as long as you are talking to your audit committee, as long as you have perhaps done some internal quality assurance within the audit team and reported those findings back to your audit committee then, if we can delay an MOT for six months, I think we can delay an EQA an equal length of time.

So, some of our Standards then are they more important than our quality assurance ones?

Institute’s response

None of our Standards are weighted, none of them are perceived to be more important than any of the others. I think it is about being pragmatic in a difficult time and yes, the perfect world is that we should be conforming with all of our Standards on a daily basis.

The world that we are in now is probably meaning that some of our Standards are slipping and I think if we are maintaining the majority of them and we actually slip a little on our EQA and we have communicated with the audit committee, I feel fairly certain that no EQA reviewer when they do your review will hold you in default because of that.

 

I think, having done EQA’s in the past, the circumstances would dictate that I couldn’t possibly fail anybody for not having an EQA, when in a sense you can’t have one just now, I think that is just reality. The reason I asked this participant about their question, is that is what you do get back from some people sometimes is – ‘so you’re happy to breach the Standards are you?’ No, what we are doing is managing the situation as best we can.

 

Institute’s response

It is fair to say that the Institute is still doing EQA’s, we’re doing them through virtual tools such as Zoom, we are accessing documentation, we’re doing interviews, we’re doing surveys. So, some of it is absolutely possible. All I would say is, just think pragmatically and proportionality, as to whether this is the number one thing on your list of priorities as you move forward.

The other thing that I think about the EQA process is, one of its strengths is the ability of the reviewers to link with stakeholders, so access to stakeholders, so easy access might be a challenge at the moment.

It just underlines the point that, it is going to be horses for courses. Those that are conversing virtually, you can chat to your hearts content and you can carry on and do so, conversely other organisations aren’t and therefore it’s going to be difficult to make progress. I think the last thing that most people would like to have is a protracted EQA that starts tomorrow and lasts for six months while we try and get things done. That would be a painful and ultimately a difficult process to exit, so pragmatic is the word I think here.

 

There are a few comments (Chat Box) from earlier on, when we were talking about the audit team that has effectively moved out from internal audit and is helping elsewhere, that are worth exploring further.

I think that some of the challenge we are speaking about for organisations where we don’t have this level of comfort over so what might be happening in the new reality, I think is more acute for organisations than before the crisis began; didn’t have sufficient line of sight over what their preparedness plans were or didn’t have sufficient line of sight over what their internal control environments were and I think it is true of internal audit functions and I think it is true of their audit committees and trustees. So, I think organisations that have applied that level of acuity have of course, I am not by any stretch of the imagination suggesting are not experiencing the crisis, but they are not quite experiencing the crisis in the same way. The second point I want to make is that I do agree that the Institute’s guidance, how we can help the rest of the organisation should be a primary entry point but I don’t, for me personally, think that is the complete picture. For me, it is very important to retain that law of still approaching the crisis from the lens of what we think the other two lines of defence should be doing and I don’ think, regardless of how co-operative and sensible you want to be with that enterprise, it is absolutely incumbent upon us as internal auditors to ensure that the other two lines of defence are demonstrating, in the middle of the crisis, a high level of professional acuity and rigour of execution. I am completely not averse to joining the other two lines of defence in helping out, in fact I am doing that as we speak but it is only after the primary questions of the rigour of those processes have been asked by internal auditors that, that help really should be offered, otherwise I think we will not be delivering on our primary remit.

I don’t personally have any disagreement on what you have said on that, you have expanded the point quite a bit and you have made it more relevant to different organisations at different levels of maturity.

 

Institute’s response

I don’t disagree with what has been said. I think it Is about, as I said, ‘no one size fits all’ in this scenario. We have organisations of variety of sizes, variety of maturity and variety of complexity and I think we just need to appreciate the guidance the Institute can offer, be it the IPPF, the guidance on our website, on the COVID-19 hub, but also what works and what is appropriate for your organisation. What I would strongly suggest, is that internal audit needs to be talking to the chair of their audit committee and that can be weekly, daily, however, frequently about what they’re doing, about what impact it has on the assurance that internal audit is going to be able to provide and also looking forward to the opinion the internal auditor is expected to provide an annual opinion at the end of 2020/21 internal audit year.

If anyone has any questions outside of this forum or that might pop up after thinking about the discussions today, please feed them back to Liz Sandwith (liz.sandwith@iia.org.uk) or Derek Jamieson (derek.jamieson@iia.org.uk). We will happily submit the questions to future forums or come back to you on questions that might be specific to you.

We are going to try and evolve the forum as the weeks go on and we are planning to evolve it next week to start talking about the phases of response to the crisis from internal auditors , from picking up the challenge to  the future in terms of business as usual. Our thoughts have originated from a paper by McKinsey & Co.  which we feel is valuable and we may use the framework to help internal audit going forward.

McKinsey & Co. have put it into five horizons:

  • Resolve - address the current challenges
  • Resilience – how effective were our protocols
  • Return – create a detailed plan to return the business back to scale quickly
  • Reimagination – the ‘next normal’
  • Reform – be clear about how the environment in your industry could evolve

These are the five horizons I think it is worth talking about from an internal audit perspective as we move forward.

We will try and evolve the conversation to start focusing on the five horizons, clearly, we have probably moved past the first one already, but we’ll reflect a bit on that as well

For those invited on the basis of being a head of internal audit, not representing another body, you will be invited again in the future but we are trying to rotate yourselves on the basis that we have high numbers wanting to join this forum.