Heads of Internal Audit Virtual Forum | Key takeaways

22 April 


Please note:

  • All Institute responses are boxed and highlighted in blue.
  • All delegate/attendee comments/statements/replies are un-highlighted and un-boxed.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

Chat box content

1. It is increasingly likely that the reduction in lockdown restrictions will see social distancing measures remaining for some considerable time. Auditing from a distance is now becoming the norm for many of us. Is this the way to go in the future? More efficient and more effective?

What are the “must have success factors in remote auditing”? Experience shows that the key thing is that everyone knows exactly what to do and there is a written ‘how to’ guide. Otherwise you end up with files being uploaded to wrong locations, questions people didn’t respond to because they haven’t seen them, and because of time zone differences a day wasted because of that.

If nearly all auditing can be conducted remotely at what point are, we ultimately automated out of the picture?

For me this depends on the audit. For some audits I think yes increased remote auditing will save time and money and makes a lot of sense for document testing especially. However, there are some audits where we need to perform physical checks, and for funders it can be invaluable to physically visit a location and confirm that the activity being funded is taking place. Also, as our guest panellists have said, the body language and relationship building elements of physically being present are often providing real insight that internal audit can’t get virtually.

Remote auditing can also help our carbon footprint. For me, the key challenge is that it is difficult to do remotely process walkthroughs, and we likely need an appropriate balance between face-to-face and remote as described. Face-to-face is also really important when we are training new team members.

There are audits in our plan which subject to physical presence like network access check, physical inventory check. If there won't be change in the lock down, we must reconsider those audits.

2. Our audit plan is still relatively compliance focused but with a significant and increasing element of risk focused work. During the crisis we are increasingly being asked for opinions on decisions that the organisation is making. On several occasions our input has resulted in revisions to decisions. Are we taking a first line role now or is this an opportunity for the future?

In my experience there is nothing problematic in internal audit analysing strategic decision-making processes to see if process itself is deficient. If based on the findings from that exercise, management fixed the issue and therefore managed to come to different opinion, this is normal. main thing is not to decide for the management.

This is exactly how internal audit should be operating - raising challenges and opinions as early as possible

It’s important for internal audit to be supporting the business re key risks and sometimes, that means advising on changes whilst they're being made rather than looking at controls in hindsight. As long as the internal audit function can manage the self-review threat, I think this is something we should be proactively doing.

I think all high-level decisions consulted with internal audit, are the opportunity to demonstrate our full landscape view at the service of the organisation. The key is to use objectively all available elements around the decision and ensure all people involved are aware about our role and that we are just advising.

In Government audit we are very much critically reviewing audit plans to consider changes in the control environment, experience from business continuity and learning about what we can carry into a return to a new normal.

IA has a rare perspective.

Completely agree - this is an ideal opportunity for us to really demonstrate added value but being receptive, proactive and responsive.

3. We have an audit in the plan which we viewed as having high potential for significant findings to be identified. We have now been asked to defer the audit as the function is too busy. How do we respond when access is being restricted by management?

Independence point - is management using COVID-19 as an excuse and trying to influence internal audit? If it is a genuine concern, then internal audit needs to understand what it is?

Would it be prudent to initiate discussion on what management can do "instead" of the audit to address these concerns themselves?

We reconsidered the FY21 audit plan in light of COVID-19 in the last 4 weeks. We changed one third of the audits to focus more on the changed risk profile. We learnt longer audit delivery in most of the ongoing audits due to the other priorities of the audited teams. I think it should be common learning.

We’ve got a similar situation and there’s a balance to be sought here. On the one hand we are very keen to give the organisation and individuals, those in busy roles especially, flexibility and space in these challenging times – and we have aimed to be very flexible on timings. On the other hand, though, we do still need to give assurance in line with audit committee expectations. Where we think it is important that audits go ahead, we’ve been giving more flexibility than usual on timelines, (and wellbeing comes first, so for some individuals, we may decide they will not be involved), but we are still going ahead. With a couple of audits we’ve taken the view that actually it’s these 5 key controls we are most worried about – knowing this team is especially stretched we are going to look only at these to minimise the time the audit takes whilst still giving assurance/recommendations over the areas we really need it on; or in some cases we are going to do walkthroughs only (and postpone detailed testing).

Linked to this, we're seeing a bit of push back when following up recommendations/management actions - it can be hard to challenge whether their completion is genuinely impacted by COVID-19 or it’s a convenient excuse. It’s early days at the moment but I can foresee outstanding action lists growing and I wonder how far we should be pushing on this.

Agree with all comments – the audit committee wants to know that the control environment operates during periods of stress as well as plain sailing.

There is a difference between asking for things to not happen and asking for some flexibility over timing - whether that is audit or action completion. As a board chair also, I have accepted that some audit work will not happen in the next couple of months whilst certain staff are furloughed. But that is possible in part, because of what we have already seen this year, and because we are having more active discussion as a board with the front line. And I expect the audit work to be reconsidered and recommence - it’s not about, not doing things.

I think we will probably k now in many instances which are genuine reasons for 'push back' and which ones aren’t, comes from knowing the organisation, its culture, and the behaviours of key managers...

Good point - I imagine we all predicted a couple of people who asked for a deferral before they asked for it!

Good to hear private sector view and absolutely agree with the comments, however COVID-19 risk is very different in the public sector, so the private sector solution wasn't an option for us.

In my opinion pushback is more often when there is no full alignment on the risk and risk appetite.

4. General feedback on the session

Thanks all


Attendee comments, questions and actions

To prioritise the discussion, participants were asked to complete a quick poll on three questions and based on this the questions were ranked and discussed in order of preferences.

Questions for discussion

Poll results

Auditing from a distance - It is increasingly likely that the reduction in lockdown restrictions will see social distancing measures remaining for some considerable time. Auditing from a distance is now becoming the norm for many of us. Is this the way to go in the future? More efficient and more effective? 54%
The changing face of internal audit - Our audit plan is still relatively compliance focussed but with a significant and increasing element of risk focused work.  During the crisis we are increasingly being asked for opinions on decisions that the organisation is making. On several occasions our input has resulted in revisions to decisions. Are we taking a first line role now or is this an opportunity for the future? 32%
Deferring of audits in overstretched business units - We have an audit in the plan which we viewed as having high potential for significant findings to be identified. We have now been asked to defer the audit as the function is too busy. How do we respond when access is being restricted by management?   14%

As we have mentioned previously, we are looking to evolve the forum and this week we have two guest panellists joining us providing their opinions on the questions raised.

1. It is increasingly likely that the reduction in lockdown restrictions will see social distancing measures remaining for some considerable time. Auditing from a distance is now becoming the norm for many of us. Is this the way to go in the future? More efficient and more effective?

Guest Panellist 1

I think yes, it is the way to go if we are not already there, just like data analytics, agile methodologies, real time assurance they’re all the right things to do in particular circumstances, so balance sheet reviews some transactional reviews all or part of that can be done remotely or with some people on the ground. I know that this is already in place for some large global firms and that includes financial services.

We’re regularly challenged to do more with the same or fewer auditors, and I think that this could help but for everything – no. If we base this on the ways we have been working over the past four weeks it has been ok but if we extrapolate that I am sure there will be a number of unintended consequences, if that was the only way.

Relationships are really important to us and body language can be replicated in some way, but you can only see from here up. We deal with really complex issues, we deal with sensitive issues so there is value in face-to-face and continuing with it, but absolutely it has its place, it has its value and it has its limitations.

Guest Panellist 2

In my organisation this is something we are actively talking about just now. Our CEO has set a mandate for our organisation to disrupt the sector and we do use the ‘disrupt’ word quite considerably now. We are already having conversations both within the internal audit team and organisation wide around if we revert back to ‘as you were’ when this crisis is over, then we have missed a big opportunity to really think about things differently.

We have a very clear mandate not to go back to the way we were and to use this as a point of inflection to really challenge what has worked well in this lockdown and what we would want to do differently, if when we go back to some sense of new normal. To give a couple of areas that we are actively talking about just now, within the organisation we have got circa. 80% of our employees working from home with no real challenges on capacity or technology so far. Even from just a basic commercial perspective, do we need the footprint we have got in the organisation going forward, or is there a more flexible operating model that we can adopt, and that serves a number of different purposes. I’ve mentioned the commercial lens but there is also a wellness lens for employees and there is a big stream of thought at the minute around having much more flexibility – gives our colleagues a better mind set to be better auditors and better bankers, so there is a lot of strategic imperatives for really challenging the status quo.

I do agree though that we are in danger of losing something if we went to 100% remote working. The water cooler chats, the corridor chats that we have in terms of building up those informal and formal relationships. I think you can go some way to doing that remotely, and there are certain aspects of this lockdown that has forced us to be more social because we are missing something in terms of that team interaction, but I do think there is something about that body language, those ‘tells’ that you get from a face-to-face conversation and in the room, you can sense the culture when you’re working in a team, assuring a team and working in partnership with them that you just won’t get over Zoom. I think that there is a real opportunity for us to blend a different number of techniques from the traditional observation skills that the internal auditor knows and loves with employing technology more.

We are using split screens to do walkthroughs with our stakeholders, so on Microsoft Teams you can collaborate and split screens and do walkthroughs and test controls and we are testing a lot of that just now and it is working really well. I think it is about blending the new, the technology that we are forced to adopt just now with some of the traditional techniques and finding the best of both.

Institute's response

I am absolutely going to agree with everything that has been said.

I think it is all absolutely valid and very very relevant and if the Institute and our profession doesn’t learn from this current crisis in terms of how we do our jobs differently then we have missed a huge opportunity.

Richard Chambers at our Annual Conference said our audit methodology hadn’t changed for 20-years, well it’s going to change significantly in the next 6-12 months I would guess, and I think that is good.

I absolutely agree with what was said previously, we mustn’t lose the water cooler conversations, we mustn’t lose the opportunity to observe how people behave, particularly for audits like culture, where we are looking and observing how people are behaving and I think that is more difficult to do on the screen.

I think also, and perhaps this is a little bit old fashioned, but I think there is the deterrent effect of having internal audit around and people knowing you are there. If we are missing and accessible through Teams or Zoom or whatever we’re just not always on-site, that would be a mistake, so I think there is a balance here to be got and we need to make sure that the balance is right, but I support everything that has been said.

 

Picking up on a comment in the Chatbox – are we effectively doing ourselves out of a job? etc.

I like the idea of balance and I too subscribe to many of Guest Panellist 2’s thoughts. For a profession I think that we do have to think about how far we take some of this, there are tremendous opportunities, there are tremendous threats as well. Whilst certain types of audit lend themselves to remote working, in practice other ones don’t. I worry if we go too far down the remote path, at what point do people wake up and think actually, is there a need for us as human auditors, why don’t we just run it all through AI and robotics and machine learning.

Reflecting on my history, I think probably of the top half a dozen findings written by me, maybe three or four have come from the key discussions and the whites of the eyes and things that just don’t add up. It is a bit of the auditors nose whether or not everyone thinks you should have one, I think with experience you do have one and it absolutely counts sometimes to join the dots, sniff it out etc.

2. Our audit plan is still relatively compliance focussed but with a significant and increasing element of risk focused work. During the crisis we are increasingly being asked for opinions on decisions that the organisation is making. On several occasions our input has resulted in revisions to decisions. Are we taking a first line role now or is this an opportunity for the future?

Guest panellist 2

Coming from a financial services background we subscribed naturally to the Chartered IIA FS Code (Effective internal audit in the financial services sector) which clearly states that our scope covers much more than just compliance. For quite a number of years now I have been lucky to work in internal audit functions where our views are really sought out on matters of executive boardroom type issues, so my personal view is absolutely, it is not a first line role for internal audit to move outside of compliance, it is a responsibility of ours to assure over, for example the management information to support decision making.

We are actively involved in the process for go, no go decisions on key programmes and just now, with everything that is going on the organisation is looking at aspects of the business and de-prioritising a number of projects that are now no longer valid. We have been asked for a view as to how effective that system of de-prioritising is and are, we making the right calls at this time, based on the changing face of the risk profile. 

We have a seat at the table on governance meetings and we are actively asked by the chair of those committees and also by the board audit committee chair for a view on how well those committees are run. It is really good that we have that profile, that our opinions are sought out in that way. I think a shift away from a pure compliance focus, depends to some extent on the maturity of your three lines of defence. So if you have a strong risk management function, a strong compliance monitoring team, then that is an enabler for you to move up into looking through the second line and the first line controls functions, who might do a bit more of that compliance and outcomes based testing and then you can assure on that framework. But you do have to work in-step with your colleagues in second line risk and first line embedded functions to be able to make that transition because without a strong second and first line you might have to fill a bit of a gap there. 

Guest panellist 1

I looked at this in two ways, one on compliance, it is important not to lose this especially at this time. Some of the basics still need to be there, but I challenge whether this can be done via data analytics or continuous monitoring, and that can bring you some resource and coverage benefits just now. In the longer term, challenge whether it is actually a third line of defence activity or as mentioned putting it into the first or second line.

I think the question around are we changing, I hope so, and if we’re not then we should be, because we are in the business of providing assurance and opinions and if you’re being asked for your input and you’re making a difference to the eventual outcome, that’s great and where I think you should be.

It’s of very limited value in having a lessons learnt and a view on your plan if your business is no longer there when you look back at that. You do need to recognise that the shift or the pivot is not the easiest, some are further along than others and as referenced in financial services they must be at the top tables and be involved and recognised as a key function and that is ultimately supported by the mandate in the financial services code, that was born out of the last financial crisis, so as has been mentioned many times, it is about making sure that we fulfil our roles just now and make the most of the opportunity.

I think that business expect us to have real time assurance as one of the products that we offer and through this we still need to be objective in terms of how we review what input we have and how we test that. Do not compromise your ability to stand behind your opinion and that can be really challenging in committee meetings or in steering groups, where they want decisions to be made quickly.

We are we are in the business of asking questions where we don’t understand or if we are not ready to concur or are not happy. There’s probably one or a few more people around the table in a similar place so don’t lose our ability to challenge because I think that is what is really helpful in a room that can be easily led on decisions as we go through things at pace, so I think it is the right thing to do as part of that suite of products.

There’s a comment going through the chat box about seeing a bit of push back when following up recommendations/management actions, would the author like to pick up on that?

Probably in a slightly more of a detailed level that the panellists were talking about, we have quite a lot of questions about, ‘we want to change this process, can you just tell us it is ok before we do it’. Basic things like how to evidence invoices being approved, as basic as that and we have very much taken the view that, that is where we should be at the moment, helping the business. We have got a large team and it is easy for us to manage that self-review and segregate the advice from the people that might come back and review that process at a later date. I think it is really important that we work with the functions that we are auditing to help them through this process as there are huge changes, really quickly and there is so much risk attached to that and we are in a really good place to help with that.

Institute’s response

I was thinking of this question in relation to our consultancy and advisory role and I think that sits well with the IIA Standards and it is not unreasonable to expect, and it has happened to me a number of times, your CEO to perhaps ask for some advice and guidance about a course of action they’re taking, your audit committee chair to ask of internal audit, not necessarily as part of a formal audit but as part of our holistic oversight that we have of the organisation and where we can add some real value to the organisation based on offering an opinion and some advice and guidance. I absolutely think that this is not us being first line. This is us delivering our role as professional internal auditors.

In my experience, also, internal audit is often the only function that, apart from the very top which sees the whole organisation. So, actually in terms of horizon scanning and being able to get really involved in helping the right decisions to be made at a time like this, I think we have a pretty key role and we have a very good platform in which to do it, so bring it on.

3. We have an audit in the plan which we viewed as having high potential for significant findings to be identified. We have now been asked to defer the audit as the function is too busy. How do we respond when access is being restricted by management?

Guest Panellist 1

The first thing I would think about with this one is the risk and how COVID-19 could change the likelihood or the impact of the risk being realised and therefore deciding whether we could prioritise it or we could do less, or do enough to get ourselves comfortable but for it not to be as intrusive for the organisation at that time. I would also want to understand why management have a different view or do they actually recognise that or do they have a different concern and if not, what makes them more comfortable than we are and then does that change our priority once we know what they are thinking about and also how overstretched are they – is this more of an issue than the risk we are worried about being realised, then we need to be relevant and making sure that we are looking at the right things and not adding to that. I’d also play on the words a little bit and say that we have been asked to defer and we’ve not been told so if we have considered it and it is still relevant be very clear, explain to the business why you still want to do it.

It’s about keeping them and the business safe and try as best as you can to take them along with you. Also think about if you have enough evidence to make a recommendation and give action then consider doing that as a standalone finding, maybe once management understand the context, the consequences and the actions they might come on board more, that could be more of a relationship challenge I think – I told you no and then just give them lots of actions, but there is another tool in our toolkit.

We should remember who our key stakeholders are and who has approved the risk-based plan. Escalate if you need to, if you’ve tried relationships and you’ve tried to help them to understand and you have understood more. Finally, if all else fails, document it and retain a record and revisit it at the best opportunity, but keep yourself safe, so to speak as well.

I think it is important also that internal audit is not discounted in this period, so if there is still a risk you really have to have that conversation with top level governance, they need to be aware of the view of internal audit and either intentionally accept that risk or put forward their argument why they feel that what the assurances are at this time. I think also at this time, pick up the phone and speak to the areas you are planning to audit and listen to what has changed in terms of the risk profile because of the situation.

If internal audit knows there is something wrong or believes something is wrong the worst crime they can commit is just to walk past, just because someone asked you to be there or not to be there is no reason for not being there and doing your job.

It doesn’t also preclude you from doing some work if you have a view driven by some intelligence, whether it’s intelligence from documentation, discussions or both, it is already in your hands, so what else do you need to get to approve or disprove that point, either way you need to do something, you can’t just defer.

 

Institute’s response

It is quite disappointing that management are taking this approach. I think that I would want to talk to management, as has been suggested, understand why this is a line they are taking, understand whether they fully appreciate our concerns, the risks that we obviously have identified and why we think this is a particularly significant area. If I deferred everything throughout my career because the function is too busy and I was paid £1 for that I think I wouldn’t be sitting here now with you I’d be on a beach somewhere on some Caribbean island.

Often that is an excuse and my nervousness at the moment and the point made on the group chat is ‘are people going to use COVFID-19 as an excuse for not having an audit’ a bit like perhaps sometimes we use independence as an excuse for not rolling our sleeves up and contributing to processes and decisions within organisations.

 

COVID-19 is this week’s excuse to be used along with all the other excuses that might have been used in the past.

Also picking up another comment on the Chat box – it would be prudent to initiate discussion on what management can do "instead" of the audit.

I would every much be in the line of have that discussion in the ‘why do you not think you have an issue?’ potentially, but it will come down to the relationship that you have with people and absolutely back to the point made by guest panellist 1, it is a request not an instruction.

If audit gives in to every single request it will be a long list of requests next week and they’ll all be about not doing audit work or go somewhere else.

To come back to the last question for a second and a comment, and a number of people agreeing with it - ‘bring it on’.

This is our seat at the top table and this is us using our responsibility to use that seat so if we’re asked to give advice and guidance and input then we should absolutely do it or we’re not doing the profession a service.

Secondly, if we give advice and guidance it is as good as the individual giving it, we are not guaranteeing everything we say is right, we never can, but we can guarantee that it has been done with the best of intentions and with the support and use of the framework, the IPPF, to do our job professionally.

It is a professional judgement being asked for, and you shouldn’t worry about that and just again, this area of consultation, getting involved with the first or second line this is where the biggest value can be added, but quite often this is where internal audit can hide behind the three lines of defence model and the theoretical standpoint that we don’t do this, so I would constantly challenge that.

Back to deferring audits.


Guest Panellist 2

We have had experience in the last few weeks of people pushing back on internal audits and we have completely repurposed our internal audit plan, deferred any non-critical pieces of work that aren’t looking at front-end critical processes or back-end critical processes and focused on COVID-19 work, but we have had a lot of push back, so not to repeat what has already been said, I have approached this question in terms of what is our role as an influencer and what is the outcome that we are trying to achieve and are there any other ways that we can get to the right outcome.

It might be as much as once we understand what the motivation for the request is, explain to them that, if we were sat in front of the regulator in three months’ time and they asked us where were you and we said we were nowhere because the business didn’t want us to be anywhere, that is just not the right answer, so work with us on this, how can we achieve the right outcomes. You know there is an issue, we know there is an issue so, you escalate it through your Risk Control Self-Assessment ( RCSA) and if we can see the transparency of that escalation and if we are comfortable we can help you with the action plan. Provided we are not thrusting the action plan down your throats we can help you. Let’s work on that and just get to the action plan quite quickly, lets do a risk workshop over Zoom, let’s get some people around the table and knock this issue out and come up with a solution now, that might be an interim solution, but it is good enough for now to get us past this.

My team, my colleagues and I have been working on our strategy called ‘controls coach’ where we are actually developing what is called a ‘cut out and keep’ internal auditor that we are parachuting into areas of the business and saying, if you think of nothing else, these are some of the key principles that you should be thinking about when you are having to adapt your processes to fit this crisis. Think about your control design, think about your prevent and detect, come and speak to us if want any information but basically we are going to leave a paper version of ourselves with you and we will dip in and out at certain points to help if and when that is appropriate. So, there is a number of different things that you can do Guest Panellist 1 mentioned the data side, but you can’t walk away from it you can’t put your head on the pillow at night and say you’ve done a good job if you are not making sure that the audit committee, who ultimately need to know about these issues, are not aware of them. But there are so many different ways that you can get that message to them, it doesn’t have to be us, but it is our duty to make sure that someone is telling them.

Message on the Chat box and mention of postponing audits but doing it on risk-based priority, just in the context of this particular question, if someone asked you not to do an audit it doesn’t necessarily take them off the risk priority list does it?

This was of interest to the group audit risk committee and to management so what we did was an assessment in light of the new risks, what we identified were a couple of areas that were not as important now as they were 3-6 months ago when we started the planning. So we picked up those areas, the cash management, credit, cash collection, etc which are important at this time and agreed with management, and it was supported by the chair of the group audit and risk committee to focus on those areas.

The pushback is always difficult to have an audit on an area which is under fire, the European business continuity management which was an on-going audit when COVID-19 started and those people that were interviewed, then focused 100% of the time on crisis rather than on giving feedback for us, but finally with a delay we did get it sorted.

My learning is that, if there is an area that is under fire we have to take more time, we have to leave more time, we have to be a little more patient but I wouldn’t say that we have to give it up, because otherwise we then cannot provide the assurance.

Our strong view is that at this stage  we have a plan which has been reshuffled to focus on the key risks in this environment, we have an estimation that this slowdown will be lifted up so we have remote audits for a couple of months, but once we can, we will consider some travelling, because our international organisation setup requires some travel.

There will be new development with this crisis management – COVID-19 in different countries we will consider this position and we will see what is the best to provide, so there will definitely be a role in forward planning that was not as important in the past. But now we see that we must react much faster.

Just to reflect again, there will always be bit of balance here, there will always be a valid reason to defer from somewhere, and to be blunt we usually know who is at it and who is being genuine and unfortunately, if you are at it a lot and you are genuine we don’t tend to believe it anyway, so be honest with us please.

Part of a group of senate companies in South America most of our facilities are in lockdown so it is a challenging environment for our internal audit in terms of finding the right path to provide services and provide advice to our business and to management in terms of doing the right thing, because these are exceptional times and everyone of us as internal auditors need to create the path and the steps to follow, in terms of supporting the business and possibly reacting to the operations across the countries and regions.

In terms of evolving and going forward a proposal for future meetings that may start next week, depending on availability is to move to a panel-based forum where we rotate panel members each week. The ideal from our perspective is to have an audit committee chair, potentially a CEO or CRO and potentially a HIA.

I am trying to build up a  pool of people as we know availability isn’t brilliant at this time of the crisis, but ideally if we can get a number of people at those levels in a pool we will try and get two or three of them on each week and we’ll seek their perspectives on the topic of discussion.

If we can get a CEO to talk about what it is like from their commercial perspective, it will add value and no doubt whichever sector it comes from will add value. If we can get an audit committee chair it would be great to hear their perspective and help us influence their own perspective going forward as well. We need them to be our key stakeholder in every sense going forward. If we could get a HIA to chat just like the two guest panellists today, I think we will definitely get value from practitioners like us, so this is the way we would like to try and evolve this going forward.

If would also be helpful if anyone has a willing Chief Risk Officer or Risk Director, it would be interesting to hear their perspectives if they would be happy to be on a panel.

Thank you to this week’s trial panellists, please send me any suggestions you have for panellists for future weeks and I will try and get them on the agenda.

If anyone has any questions outside of this forum or that might pop up after thinking about the discussions today, please feed them back to Liz Sandwith (liz.sandwith@iia.org.uk) or Derek Jamieson (derek.jamieson@iia.org.uk). We will happily submit the questions to future forums or come back to you on questions that might be specific to you.