Heads of Internal Audit Virtual Forum

17 June 2020


Please note:

  • All Institute responses are boxed and highlighted blue.
  • Where the chair comments in that capacity this box is highlighted in yellow.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

Today’s forum focussed attention on audit committees, their relationship with internal audit, and some of the key areas of concern which they have focussed on since the current crisis began. Our guest provided us with insights from ongoing discussions within the audit committee community.   

Post crisis 

1. Coping with the immediate crisis, three phases have been identified, with different organisations going through different phases at different speeds:

a. Repair phase  Fighting to sustain the organisation, trying to find different sources of finance, trying to stabilise.

b. Rethink phase – Such as office space, the business model, the size of the organisation, the type of customers, market strategy etc.

c. Reconfigure phase  Some have moved very rapidly to this stage to face into what the new normal will be, eg British Airways.

All of this is very relevant to audit committees who are talking about decisions they are having to make – particularly the phase they are in, in terms of the crisis and the control environment. 

2. Communication - Audit committee members are struggling to keep up with management who are moving at real pace eg fighting for the organisation’s economic life. Internal audit have a role here to act as a conduit for communication between busy management teams who are perhaps not paying the level of attention to their non-executive directors and their audit committees members as perhaps they should, and who might be feeling to some extent left out of the process. 

3. Meetings - Many more board meetings are taking place on Google, Zoom and MS Teams, for example. However, audit committee meetings are not taking place more frequently, although communications between, for example, external audit partners and audit committee chairs are increasing. Has the level of communication with your audit committee chair gone up in this crisis, or has it gone down as there are not the same opportunities for face-to-face meetings? If you are not talking to your audit committee chair perhaps you should be picking up the phone to them. At a time when they are not travelling to attend meetings, they may have more time to reflect and take calls, as well as undertake a slightly less pressured conversation before you head into an audit committee meeting. Everyone needs to step up and communicate more effectively and become more aligned to what the audit committee chair wants and help them develop in their mind what they should be seeking. 

4. Reset risk – There is a lot of discussion now about resetting risk. A lot of organisations did not have the global pandemic on their risk register as a separate item and have therefore not properly reflected this in the identified risks – the business model, the supply chain, etc. Probably on reflection there wasn’t sufficient deep thinking around identification of the risk and the mitigating factors to deal with it. Almost every organisation in the country has been massively impacted by COVID-19 and few were well prepared with the right level of PPE, the right level of financing, and the right contingency plans for the supply chain for example.

The expectation is that in resetting risks, organisations will have a much clearer view of what matters in terms of their business model and the opportunities and threats that come with it. It's this view that gives clarity of thought. However, there is a danger for that clarity of thought to disappear fairly quickly as we get back to some level of normality. People have to grasp that opportunity now while we're more open to change. Internal audit has an important role in helping what is likely to be a widespread reset of risks that organisations should be focussed on. Internal audit should position themselves right in the centre of that reset with the knowledge they have and the voice they have at the audit committee. 

5. Controls – Virtually every CFO, CEO and chairperson has basically been saying that their controls have been fine. They have been surprised at how well the communication and technology has worked; how well people have been able to work from home; and the way customers have continued to support the business. However, there is some scepticism over this, as when we went into this crisis the control environment within organisations were at average, many below average, with a few notable examples above average. This crisis will not have improved control environments, if anything it will have done the exact opposite with the pressure on individuals and the extra time it is taking to do things. From audits undertaken and organisations with March year-ends this highlighted that control systems have remained reasonably robust, but that was several weeks into the crisis, not several months, where we are now. There is a huge amount of work that will be needed where those weaknesses have happened. Some weaknesses will not have manifested yet, or where weaknesses may be developing have not caused a problem yet, but if we continue in lockdown they may well do. Some areas to consider include:

a. Compensating controls – This is an important area. Have they really been working effectively? Who has been testing them? What evidence is there to support the fact that they continue to operate in the absence of control operators who have been off sick, furloughed or working from home? 

b. IT and cyber risk – Controls over emergency IT changes may be a particular risk, particularly as people are working remotely. There is a huge increase in cyber risk and the level of attacks that have been experienced in the last three months. This is an area that we need to focus on along with controls. We have moved from wet signatures, original third-party documentation, etc and that has got to have reduced controls. 

c. One-off transactions – Such as restructuring, deals, changes to major contracts. Where are controls around these? Who is checking that, to make sure that the organisation is still in control?

This is an area where there should be discussion with the audit committee. 

6. Opportunities - How do you distil the really good things that have been learnt during the crisis and go back to the things that were really good as well, in effect get the best of both worlds?

a. We will have a workforce that spends a much higher proportion of their time working remotely. From a team’s perspective it will be really important to build in ways of ensuring that you can assess people’s welfare and look at different ways of motivating teams.

b. Much greater use of technology. We have reacted in an emergency and therefore there must be a way of going from emergency to much more thoughtful applications. If you make that specific to internal audit, there is likely to be a much greater expectation that internal audit is at least alongside, if not slightly ahead of the curve from a technology perspective. Rather than what has possibly happened historically, playing catchup both from a technology use perspective and how to approach the deployment of technology in organisations. Internal audit needs to be proactive in this space.

c. Much greater alignment with what the audit committee wants and what internal audit can deliver. Spend more time with the audit committee chair - this is a great time to do it to help them identify what they need and what they should be asking for.

Pre crises focus 

7. The role of internal audit in the 2020’s – Whilst this is well defined in financial services organisations, there is a wide variety everywhere else. There is a real focus on the need for internal audit to change, to get better and more relevant in what it does. Such as technology – does internal audit have the right skills and capabilities to cope with the technology that is being deployed throughout the organisation? Does internal audit make the best use of technology in its own performance of its work? Is internal audit using artificial intelligence and data analytics? 

8. Staffing the internal audit function – Whether the functions should be co-sourcing, outsourcing, in-house is still being actively debated especially around specialist areas such as tax, treasury, IT etc. If an audit committee chair is being asked to defend an internal audit budget request, they want to be able to point to innovation and value for money in return for that additional investment – it’s not about more activity but smarter working. The activity of the internal audit function needs to be closely aligned to what is troubling the chair of the audit committee, whether that is controls, reporting, a deeper understanding of the culture of organisation, etc. The level of communication that internal audit has with the audit committee chair is important – you need to be on their agenda in order to make it work. 

9. Effective governance (internal audit, external audit, audit committee) – To get effective governance you need an experienced audit chair. There is a generational shift going on, which is good, but it does mean there are relatively less experienced audit chairs in a number of organisations. It is difficult if you have someone learning their trade and you are trying to seek guidance from them as to exactly what good and best in class internal audit looks like. However, there is a lot of training being provided by a number of organisations. By encouraging audit committee chairs to go on that training they will be able to get more of a perspective. It is difficult if an audit committee chair is not clear about their expectations. Also, regulators will have a view as to what good looks like. 

10. Audit committee concerns pre-crisis – In March 2020, the audit committee's focus was on climate change, cyber, Brexit, modern slavery, etc, and these topics still exist. In relation to modern slavery and COVID-19, this is likely to exacerbate modern slavery particularly as we move into recession. It is an area very close to home affecting jobs such as cleaners, food preparers, etc. This along with climate change could become a very high-profile area particularly as organisations are found to be exposed to this and not looking out for it. These are things that are relevant and will resonate with audit committees and boards.
 

Institute's response

The Institute is looking to create a page on our website for audit committees where we will have content that will be in one place for them to find information about internal audit that they perhaps don’t know at the moment. The intention is that the page will equip them with the skillset to ask questions of their internal audit function. We have to take this opportunity now and move forward with our audit committee into the new future, supporting our organisations but not forgetting governance, risk, and control.

  

Chair's comments

Finally, as today’s session draws to a close, I would like to thank you all for attending and for contributing to our discussion and a special thanks to our guest panellist.

We are very keen to get your feedback about this Forum, in terms of both format and content. This will be invaluable for shaping future meetings and making sure they meet your needs. So please do share any thoughts with Liz Sandwith (liz.sandwith@iia.org.uk) or Derek Jamieson (derek.jamieson@iia.org.uk).

And of course, we will happily take further questions outside this forum as part of our ongoing approach to the COVID-19 crisis – so please do get in touch if there is anything else, we should be looking at!


Chat box comments from attendees

Interesting that audit committees are thinking about what they want from internal audit. Certainly, in the charity sector it is very unclear what the expectation for internal audit is. In the absence of a steer from the regulator or charity governance code on this, the expectations for internal audit tend to be set by individual audit committees/chairs. This is great for organisations like mine where we have a strong audit committee and more problematic for charities with inexperienced audit committee members who may not have a clear understanding of internal audit or their own role. 

Prior to the pandemic, organisations were facing a number of challenges - Brexit, climate change, cyber etc. We still face these now. To what extent do you think organisations may be 'distracted' away from good governance/risk management by the pandemic and the chance/opportunity to work in new, and exciting ways?

  • I think the answer is rather more substantial to an extent! Hence the focus on strategy (I think from last week) it is vital in my view.
  • I agree, balance is so important. Need to ensure we aren't distracted from those other significant challenges.