Heads of Internal Audit Virtual Forum | Key takeaways

29 April


Please note:

  • All Institute responses are boxed and highlighted in blue.
  • All delegate/attendee comments/statements/replies are un-highlighted and un-boxed.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

Chat box content

If there is some spare time today, I have a question about remote auditing: are there any audits that we feel require an audit team to travel?

I'll aim to include this at the end.

1. Key stakeholder response – reflection of the response to date, how this has evolved and where this may take us going forward.  

Our key stakeholder engagement and response has been mixed. We have provided regular formal updates to the audit committee and executive team and less formal engagement through coffee sessions for other key stakeholders. We've extended the hand of friendship in terms of the work we could do and invited ourselves into other areas like assurance over furlough. We have moved quickly on our work and opinion.

I like the soundbite "better to provide some assurance than none". I totally agree.

2. Planning and approach – reflection on the initial and subsequent thoughts re the audit plan, both to address the current situation and the period ahead.   

We have revised our plan for the next few months as unfortunately all functions have had to do some furloughing. I have only lost one individual, but this still has an impact on a small team.

I wonder whether the crisis will hasten the end of annual audit plans. I have been doing rolling quarterly planning for the last couple of years and find it works pretty well.

We implemented a process where we asked our stakeholders to inform us through web form if they are planning to change or suspend any controls that support critical processes so that we can respond accordingly and adjust our plan.

I've usually had an ‘annual plan’ for the audit committee so that they can see the likely areas, but in my many years leading teams, I have always found I have had adjustments, new items and changes to agree with the committee at each meeting.

I hope the crisis will hasten the end of annual audit plans, as my experience of annual plans, is that you spend just as much time going through a process to change them a few months later than putting them together.

I agree.

3. Agility - what are we learning from becoming more agile of thought, process and response.

We were asked two days ago to do some work at one of our processing centres in the US. Normally we would plan this out, book flights etc and be out there in a couple of weeks. But instead, we are doing this online next week using MS Teams and are sharing screens so that we can view systems and discuss remotely.

Agree - would say that data analytics is key so that we still have coverage over key risks and controls, allowing us to move more into that 'agile' role.

Our internal audit team is adopting an agile approach to assess the design of new processes and process that have been implemented in response to COVID-19.

4. Advisory role providing advisory services may have been something we have done for a long time but how has it changed in terms of frequency, materiality and impact and how are we developing key relationships.

I've also been a fan of our internal audit consultancy role as I've tended to work in less risk mature organisations and ones that need help - pleased to hear that others are adding value through these tools from our internal audit toolkit.

That's my experience too. Where I am working now, internal audit is new and its seen as adding most value in the advisory side and providing insight through data analytics and using technology where we can. There is a lot of ‘can you help’, ‘what do you think given your experience’ etc.

Absolutely agree - I'm now auditing in the public sector having spent most of my career, so far, in the financial sector and I am experiencing a very different level of risk maturity. However, we are on a journey re internal audit being considered as advisers, as they were previously viewed as 'inspectors'. We are slowly changing this culture through training, engagement and agile audits. In the COVID-19 environment, I'm seeing many more stakeholders literally just pick up the phone for advice.

5. Remote auditing

Body language is important to see too.

Thankfully we don't do too many stock counts, but health and safety, build progress, complex issues and other sensitive areas need face-to-face. Also, if it is the management team of the area we're reviewing, I’d be more inclined to do face-to-face too.


Attendee comments, questions and actions

This week’s forum will see us starting to focus more on the detail of the response to the COVID-19 crisis and the emerging thoughts about the future of internal audit, in the context of the organisations we work for and the wider environment in which we all operate.   

As such, we will not be polling attendees on the sequencing of the questions we ask, but will instead shape the discussion on five topics. In doing so we will seek to draw some key conclusions on our reflections of the last two months and also consider how this is starting to inform our thought process on the shape of internal audit in the future. 

We are evolving the conversation we’ve had over the past 5-6 weeks. This is our sixth week of talking about the crisis, what it means to us as an audit team, as a group of auditors, what it means to our organisations and what it means to the economy and the world at large. 

We thought it was probably be appropriate to start evolving it a little bit more, to summarise where we have got to and potentially start looking forward a little bit. We have done some of that so far, but want to condense it a little bit and focus on a couple of subjects. 

We are using the McKinsey & Co. paper that we mentioned in a previous meeting. In particular, we are talking about the five horizons for the organisation going forward, through and hopefully out of the crisis. Just to give you the headings for those who haven’t seen it before, the five horizons are: 

Resolve – resolve where you are just now, deal with the current crisis, the challenges. 

Resilience – address your internal issues, cash for example. 

Return – plan to return to normal, in reality it is re-imagination as well, re-imagine what organisations and your world looks like and what you look like inside that. 

Reform – the world will be reformed, don’t ask me how, don’t ask me when, but regulation will change, laws will change, the world will change over the course of the next how many months. 

We have reflected and think that we are probably pretty far through the resolve phase, the immediate crisis, what do we do? do we take staff out? how we reschedule audits etc.? We think we are into the resilience phase quite comfortably now for many organisations and addressing near term issues. We’ve maybe reset the plans in an audit context certainly for the near term audit period and we haven’t yet got to the return to normal phase. So we are in phase two with a view to moving forward to phase three and re-imagining phase four of what the world will look like.

We’ve had, over the course of the last five weeks, a whole range of questions from 200-250 heads of audit that we have spoken to in that period. The questions have a number of themes and usually it is about what do we do in different scenarios. In reality, most scenarios have a generic context across the sectors and across the profession. Many of the questions are, as far as I am concerned, and I think many of you would agree, useful for everyone in terms of responses that come from our sector specific questions.

Today we have two guests who come from again the Construction Industry and we will move away from Construction next week, and also from a County Council. 

We are going to focus on the following five questions: 

  1. Key stakeholder response – reflection of the response to date, how this has evolved and where this may take us going forward.   
  2. Planning and approach – reflection on the initial and subsequent thoughts re the audit plan, both to address the current situation and the period ahead.
  3. Agility – what are we learning from becoming more agile in thought, process and response.
  4. Advisory role – providing advisory services may have been something we have done for a long time but how has it changed in terms of frequency, materiality and impact and how are we developing key relationships.
  5. Thinking forward – as we begin to turn to re-imagining internal audit, how has our reflection on the above points impacted our thoughts for the internal audit service going forward. 

This is not about putting two people up and saying this is the way it is going to be for everybody. I don’t think either of them would suggest that was the case and I certainly wouldn’t. It is very much about sharing their personal views and providing a chance to reflect on that and whether it aligns with what you think or not. It is food for thought more than anything else.

We will also be bringing in the Institute's view on this as we go through the discussion and reflect on the IPPF and the Standards and perspectives from elsewhere.

My final point - as I said previously - is that we have spoken to around 250 heads of audit. An example of how we are getting out there and speaking to more people is that we spoke to the Higher Education community this week. We spoke to about 20 heads of audit across the higher education sector in the UK, I think it is fair to say again, that despite  the fact that we are in different sectors, the challenges are all fairly consistent and as we talk about this, we can all benefit. We will now go to the first question. 

Since the start of the crisis, there have been a whole range of responses that you have been required to put in place. Could you give me your feeling/reflection what has been happening, how it has affected you as a function and you as an individual and what’s the nature of engagement you are having with key stakeholders just now?

1. Key stakeholder response – reflection of the response to date, how this has evolved and where this may take us going forward.  

Guest Panellist 1

We are in that lucky position in that we have just about finished our audit plan for last year. We are at the reporting stage for about four audits, and so are in unique position, in that we didn’t have to cut or let go of risk assessed audits that we had already planned for. They were still important and are still important today, so we will be completing our audit plan.

The first thing we did when we heard about the crisis, well over a month ago (literally as soon as we heard) was to speak to our Chief Finance Officer and the Chair of the Audit Committee and ask questions like: where will audit go? What is the plan? Are we on the furlough process? What is happening? The immediate response was: why are you asking this question? You will not be standing down. We need internal audit more than ever, if not more, and we would like you to be part of our processes.

One of the first things I was asked to do was a furlough process. I was asked: can you look into the controls that we need to look out for and have that audit evidence in place? I was quite surprised at the feedback that we got. There was also further indication, especially from the Chair that he would not sign off any assertations or any company accounts if they only cover say nine months of internal control effectiveness, because it was a case of, where is my third line of defence, so really really positive. There was no doubt in our mind that from our key stakeholders, obviously those are the two that I am mentioning because they are probably the ones that support internal audit the most – you do not stand down, you are to continue and we will find another way for you to provide the assurance that we need over a twelve month period as they are expected to, from a compliance, legal, regulatory perspective. Nobody is going to sign anything to confirm the internal control effectiveness statement when you have only covered nine months of the year say. So very positive from our stakeholders.  

Institute’s response

I think it is the statement I would hope to hear. It is not by a long way the statement we have been hearing at these events and in my conversations with heads of internal audit. There have been a number of instances where internal audit functions have not completed the 2019/20 Internal Audit Plan and provided an assurance based on a reduced scope because of the fact that they haven’t.

What I have been saying is, if that is the case make sure you are very clear in your opinion statement that you have covered, say 80% of your audit plan and the impact of not covering the other 20% - what were the key business critical risks that you are not able to provide an assurance on? What I have absolutely been saying is don’t meld it altogether and come up with something based on only part work. Be very very clear. In the world that Guest Panellist 1 finds them self in, they have been able to complete the audit plan and that is so positive and reassuring to hear. More importantly, the fact that they have not been furloughed is very positive and demonstrates the value that their organisation puts in internal audit, in terms of what they can bring. 


Guest Panellist 1

I think that the ‘tone at the top’ really makes a difference. It was well over a month ago that we reached out to both the Chief Finance Officer and Chair of the Audit Committee and we said: what’s the position? We need to know. There were no questions, it was why are you even asking the question? But we felt we needed to because we were still doing field work on a few audits and we thought: are you going to stop us right now, are you going to say no don’t finish, but it was the other way, so it was great, we are going forward now.

Guest Panellist 2

I personally feel that the only way to know whether our internal audit function is successful or not, whether it being in normal service provision or responding in a crisis, is always to get constant key stakeholder feedback and, where appropriate, act on that. That doesn’t mean giving up our independence. Acknowledging where our internal audit services can be improved enable us to do a deliverable, effective and valued internal audit service year-on-year. 

We like to make sure that we are always focusing our internal audit services on the things that matter to the organisation. So having that dialogue with the chairs of the audit committee and executive directors is an ongoing process for us.

During this particular period I contacted all of the audit chairs, all the executive directors. Having discussions with them, advising them of the activities we were able to do during this time of lockdown and working remotely. As well as things like finalising the 2019/20 activity, offering auditors to support business functions where necessary and focusing on new and emerging risks in terms of assurance. That has proved extremely beneficial from two key perspectives: from our point of view, one being that chairs of audit committees are all fully supportive of our actions taken, they have all confirmed that they still require our assurance on effective governance, particularly during a period of this major change; and two, our support to business functions has been extremely welcomed by our partners executive management.

The service has been acknowledged as being proactive, responsive, helpful, reassuring and particularly assisting the management in delivering the services, responding to the crisis at speed. So, overall,the response has been really good. No one is actually thinking of downsizing internal audit, they still want us to be around, not only just assurance work but a lot of advisory and support.

2. Planning and approach – reflection on the initial and subsequent thoughts re the audit plan, both to address the current situation and the period ahead.   

Guest Panellist 1

We are just starting to plan now and we are beginning to speak to our key stakeholders. The first thing that we did before we did anything, and this is just as much relevant to the businesses, every decision you make you should be documenting it, why are you changing your strategy? your process procedures - why are they so different to what you did twelve months ago? So we as audit should be doing just the same. I have produced a document stating this is what we did before, this is why we are changing it, and this is what the new world looks like. If anybody questions it, picks it up, whether we have a regulator in or anyone, it is clear, it is concise, and it tells you why we did what we did at that time.

So just like we say to other businesses, why did you furlough people? why did you take a loan? they have to document it, so should we. Now that we are in the planning phase, we are reaching out to key stakeholders to just discuss, in terms of risks, what they think are the key risks for the business. We will pull the risk registers just like normal, we will not be changing anything, the only difference will be our approach will change.

We are looking at what we call ‘sprint’ audits. It is easier just to give an example - purchase to pay, rather than look at a start to finish process, mapping it, looking at all the governance documents, any other documents, the policies and procedures that we would love to do, that will not happen, we will do what we call key control testing instead. We will look at three way matching: have they been approved, any exception reports, the key controls and give that process some assurance and it will be very transactional based. I will pull a lot of data and do some analytics. I accept that it does not give you full assurance over the whole process but what it does do is pull out the key risks, the key controls and say that they are still effective at this time. Because at this time, as you are all aware, we are furloughing people, systems might be getting by-passed and there might be fraudulent activity. We all know it could be happening. I think the least we can do in a situation like this is to provide some assurance rather than provide none. So we are definitely trying to do a different approach.

Also we are not developing a twelve month internal audit plan, we are producing a six month internal audit plan, with a three month review date and putting it in front of the audit committee and asking, is the plan still relevant at three months, is it working, is it effective, is it giving the answers we need and should we change at three months.

A very agile planning approach going forward because we don’t know, and I don’t know if anybody else does, what it will look like in three months. Last year if you told me to do a twelve month plan – no problem, no issues, but this is new to us and we want to do a three month rolling plan until we come back to some stability and some normality. That will be our planning approach going forward and this has already been discussed with our Chair. It is just a discussion at this stage - nothing has been documented and they have said "brilliant, do it". We also spoke to another NED on our board and they have said "if that is what you need to do, get on with it." So really positive responses on how we are doing audits. We cannot lose the fact that it doesn’t matter what the situation is, assurance is required. 

Agility – you have both had to be agile in your approach and response to your organisations. The key point for me I suppose is, can we reflect on what it was for us and what has changed in terms of what we, as individual internal audit functions are doing,  how we are doing it and how do we see that panning forward?


3. 
Agility - What are we learning from becoming more agile of thought, process and response.

Guest Panellist 1

I think I have touched on this. As I said, agility comes from doing ‘sprint’ audits, having a three-month plan where it is being very 'live'. Something we are discussing is: can we do monthly live updates on the plan? If we do need to make a change, although our audit committee does meet every quarter, if there is anything that needs to happen can we be reaching out and making things move at that time, rather than waiting a full quarter before getting to say, can we make a change?

Our work will be agile as well. Like I said, very much data analytics, transactional type of work to make sure that those key controls that are in the business are effective and still working, given what the business is going through. Those are the main things, keeping it very live and very much at that time, there is no point in me telling the audit committee in three months’ time this has happened and we should have done this, so we need some kind of live information going out if we need to.

Just picking up on that point Guest 2, no matter where you have been before, or what you are currently doing just now, do you see a greater role for that word ‘agility’ in the future?


Guest Panellist 2

From my point of view, absolutely. I think that we have to be sufficiently flexible to be able to respond and be agile. This crisis has certainly demonstrated to me that we can provide short, sharp internal audit consultancy advisory services and we are all responding, particularly in government to new government directives in very short periods of time and it is good for me to be able to evidence this as well and promote this with my teams because we can take a very long time in producing audit pieces of work. The slow pace, traditional internal audit engagements, when actually we can respond quickly, we can do things quickly and get things out of the door.

So I really think that being agile is the way forward and being able to do short, sharp more focused audit activity. And that’s not just assurance work, I think that is advisory work and I know we will talk about that in a moment, I think it is going to be a challenge for the profession, for maybe more the traditional type auditors. Although I think within my team, they do like to do the traditional type checking sometimes. But I do think that this has really shown that we can be agile and we can be focused and we can do things very quickly when needed.

Institute’s response

I agree with both our guest speakers, I think the days of traditional detailed testing type work are going. Technology will be key to the future of internal audit, whether it is use of tools like data analytics, whether it is use of tools such as Team Mate or other audit software.

We were talking about that this morning, that the time of the twelve-month plan is gone. Personally I think that it will be a three month plan approved by the audit committee with perhaps a six month indicative plan that lets the audit committee at least know the journey you are on, why you are on it and have a conversation about that. So absolutely, change is the name on the door.

 

I am going to put an ex-colleague on the spot here. As a bit of a war story I just reflect on the lack of agility in a job I had previously and hopefully my ex-colleague will be able to agree with me on this.

We used to have an annual planning process, which, when you went through the risk assessment and planning process was probably the equivalent of about two FTEs to be honest. Does that resonate with you in terms of your history?

Absolutely, I think, just in the organisation that I am in at the minute our planning process is still a bit of a ‘super tanker’ and I think that a lot of the comments resonate we me in terms of agility and being more agile and we have actually kicked that off ourselves.

I don’t think the question of internal audit is any different to what it was before. I think that certainly our board expect exactly the same things off us. I think the tools, the medium that we actually deliver, is the things that we get the opportunity now to change. So I think it is always very interesting to talk about doing things better and doing things quicker, I think that we are all generally wedded to that.

I think that the output is unfortunately that we are requested to provide pretty much exactly the same, there has been no difference there. We have had no sympathy at all from our board as to what they expect, but it is just how we deliver that, the other caveat that I would put in there just at the minute is that we don’t actually know if this is working. It is still very very early days and we have made a lot of changes in terms of how we are doing things. We have put in lots of agile processes to support us, but it’s actually only after a period of time that we can actually say whether it has been effective or not. 

So, there are challenges on both sides. We have to take our key stakeholders with us. Again, we go back to one of the principles we said in the first week, which is: ‘take your key stakeholders with you’. It’s okay having a chat but if you don’t change the mindset then you’re stuck in a bit of a rut.

Moving on, I would like to talk a bit about the advisory role. Again, we have all been advisors at some time in the past. The feeling I get just now about what I am hearing from people is that the advisory role has increased in size and nature of the advice that is been given and the timing of the advice been given.


4. 
Advisory Role – providing advisory services may have been something we have done for a long time but how has it changed in terms of frequency, materiality and impact and how are we developing key relationships.

Guest Panellist 2

I strongly believe that we shouldn’t just limit our audit work to assurance. I never have done so - I comply with the rules; I comply with the PSIAS and the International Professional Practices. But in my audit plan I have always had advisory roles and consultancy activity for a long time.

I think we are in a good position to take a step back and we can pay particular attention to key risk decisions and whilst the front line staff, the first line of defence and second line of defence are actually working to look at key decisions and moving forward with what they want to do with their service delivery, I think we are in a great position to actually help them to do that with the skills and experiences that we have and I think that we can provide that sense and logic check sometimes to support management, especially when they’re quickly responding to key decisions.

So I always think that advisory roles should not just be prevalent in a period of crisis. As I’ve said, I’ve included over a number of years and will continue to include a number of consultancy and advisory activities in my plans. They are clearly identified in my plans and approved by the audit committees and we do support things like the development and implementation of and key organisational change, new operating models, associated strategies and I know from the feedback that we get from clients that they are welcomed by clients so I really wouldn’t want to see that lost within the future of the internal audit function.

Guest Panellist 1

From an advisory perspective, with new schemes and loans that we take on and our financial modelling, management do want us to come in, but not to do a full deep dive audit, it is more of a ‘can you come and kick the tyres’ and they need it live.

We cannot afford at this time for them to be doing something, we’ll stick with the furlough scheme, because it’s known, there’s guidance out there, they want to know that if they get HMRC or any other auditor or profession to come in to see what they went through and what they did in terms of documentation, making sure that we did all the legal stuff that we needed to do, they would like us to come and ‘kick the tyres’ and we were very much saying, yes we will come and do that, normally we wouldn’t want to, because it is not our role to be undertaking a consultancy.

But sometimes I think that you have to meet the needs and the risk at that time. We still need to do what we are there to do, protect the assets and the reputation and so on. So how could we say no, come back to us in six months’ time when you are finished, we’ll come back and have a retrospective look. Now is the time to manage or mitigate any risks that are going to come through. So, we are saying yes, we will come and ‘kick the tyres for you’ and we will give you some pointers and nods on what you should be doing, if it is not already in place.

We have covered four questions to date, and I was going to summarise and reflect upon what we have heard so far. We have seen some commentary going through on the chat box, so thank you for that.

It is quite easy to summarise at the moment. Without asking our guests to speak just now it is clear we are heading towards having dynamic planning whether its three, six or nine months. We’re all heading to that space now, we’re all more active, using ‘active’ rather than agile. More active, engaging with our key stakeholders. We are more responsive to what we are hearing from stakeholders and if we were to draw a line now and just consider what we would do tomorrow in the new world, we wouldn’t do what we were doing six months or eight months ago. We’d reflect and include a lot of what we are doing now. 

As we move forward over the next few weeks, we are going to take that apart a little more, so for example, I’ll pick the sprint audit point. We might wish to talk about how that is working for other people, what’s the benefits, what’s the drawbacks, is there some really good practice that we can draw out for the benefit of everybody.

We might also start talking about key stakeholders, and back to a previous comment about the board never changing what they wanted and maybe not entirely sure how to get it in the future. So how do we engage key stakeholders better, to better position them to accept some different ways of doing things? 

For now, I wanted to cut for a moment and bring in an example of an agile audit. We had an early guest on the line before everybody else joined in from the NHS who told us about a PPE audit.

Originally, I was asked to do a PPE audit within 24 hours, now there’s agile and there’s agile so that was a bit unrealistic, but we got an extension of a couple of days.

We led the PPE audit  but it wasn’t just internal audit and it worked quite well because we had experts from the Trust also on the team and also from the clinical end and someone from the Ministry of Defence (MOD) as well.

We worked as a team together to do that audit. It did require some on-site visits, so the MOD were happy to do those. We had to adapt an agile approach as well and concentrate on the key controls and take advice as well from the experts on the clinical side and the medical side as we didn’t have the expertise in some of the areas.

There were six control objectives to be covered in that time, but we got there in the end and it was good to be part of a team with all the other expertise involved in it. So, just in case that comes up and others may be asked to do something similar.

Thank you, I just wanted to give that as a live example. A very topical subject. The most topical subject now.

It’s a case study. We can do something if we want to and we can do something if we put our mind to it.

Another comment coming through the Chat box relates to the US and another rapid response, rapid deployment piece of work. This is really what we have to think about for the future, if we haven’t done it already.

Now, turning to the Chat box comments at the beginning of the session a participant asked if they could ask an extra question.

It probably contributes to the reimagination of internal audit part of the discussion. Given the new remote auditing principles, financial pressures on the travel budget and other expenses, do you believe that there are certain categories of the audit that have to be capped in its original format ie internal audit team travelling to the client and have face-to-face dialogue as part of the typical inventory validation existence assertion, what do you believe needs to be capped in terms of face-to-face contact between the audit team and the client?

Institute’s response

I think that is a really interesting question and I think it is probably easy to sit here and say "no, no, no we will be able to do everything remotely and technology will lead the way". I don’t think that is true and I think that we need to recognise that there will be some work that we will need to sit down face-to-face to do. 

I wouldn’t be so enthusiastic doing a cultural audit or some of the softer skills audits through technology now. It may well be that we learn over time, but initially I think that those sorts of audits you might need some face-to-face contact even if it is at social distancing, so that at least we can begin to understand the body language of what we are being told. 

I think some of the other challenges we may face may be around the difficulties of providing evidence through technology depending on the maturity of countries that we might need to visit. These may be issues which we might need to think about. So, I can’t give you a yes or a no I think there are different perspectives that we need to consider.

 

From a conversation in another forum we have had this week we talked about this and I think the reality is that on the face of it, there are certain topics that you would naturally feel uneasy to do remotely and there are other topics that you would naturally feel, because it is on a laptop you can do quite comfortably.

 

Thank you for attending. As usual we look for any feedback, responses, suggestions for improvements or for your comments outside of this forum at your leisure. I hope you have enjoyed it, we are going to change it each week so if it is starting to look a bit different and it looks promising please let us know. Please cascade as far and as wide as you can as you feel is appropriate and please help shape the discussion going forward. Thank you to our guest panellists. 

We hope to involve Audit Committee Chairs, CEO’s, CROs CFOs and future HIAs as well. What I am trying to do just now is put a panel together or a group of people I can call on over the next few weeks to get involved. I have some names but I do not have enough yet so I would ask if you have anyone in the governance structure in your organisation that you think would add value and be keen to add value and profile in this forum, please ask them to attend. It would be great to see them and I’ve got no doubt no matter who it is they would provide valuable insight. So all names to Derek Jamieson (derek.jamieson@iia.org.uk) please. 

If anyone has any questions outside of this forum or that might pop up after thinking about the discussions today, please feed them back to Liz Sandwith (liz.sandwith@iia.org.uk) or Derek Jamieson (derek.jamieson@iia.org.uk). We will happily submit the questions to future forums or come back to you on questions that might be specific to you.