Heads of Internal Audit Virtual Forum

5 August 2020

Please note:

  • All Institute responses are boxed and highlighted blue
  • Where the chair comments in that capacity this box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised 

The Heads of Internal Audit Virtual Forum is now moving into a new phase and we are turning our attention from COVID-19 to a range of other topics over the coming months, as detailed below.  

Date Topic

5th August 2020

19th August 2020

2nd September 2020

16th September 2020

Build back better I

Data analytics

Cyber

Culture - critical in a crisis?

30th September 2020

IIA conference - no forum on this date

7th October 2020

21st October 2020

4th November 2020

18th November 2020

2nd December 2020

16th December 2020

Risk in Focus

Agile

Build back better II

Disruption

Brexit

Climate change

  

Chair's comments

Today’s session is about "building  back better", using the lessons we have learnt to date and applying them going forward. The two subjects today are internal audit planning and virtual auditing.

The purpose of the session is to share experiences and responses to the COVID-19 crisis, actions going forward and the opportunity to challenge and to consider for the future.

The slides from the presentations will be circulated with the notes.


Speaker 1 – Internal audit planning

Internal audit planning is an important part of the discussion for shaping the future of the internal audit agenda.

As an organisation, we decided that we needed to be more data-driven and agile. The pandemic has given us all an opportunity to change things at a much faster pace than we had planned.

I do not believe that we should have annual plans, I believe they are obsolete and preparing an annual plan is just going through a process. I know some will agree, and others will disagree.

Like many of you, the pandemic has allowed us to move to quarterly plans immediately, and this must be the opportunity to ensure we never move back to annual planning. Why don’t I like annual planning? The planning process can start in November to formulate a plan that can start on 1st April the following year and then to end the following March. In theory, we can agree an audit plan in November 2020 and not deliver it until March 2022, which is nonsense.

We must ask ourselves, what is the purpose of the annual plan? Is it because we have always had one or is it because we need to be accountable to our customers? Is it to conform with Standards?

We as auditors talk about efficiency, identifying over controlled areas, and then we go through a lengthy bureaucratic methodology to generate a plan that is out of date by the time it is finalised. If we were being audited, it would be highlighted as poor value for money.

My panacea for those with good enterprise risk management would be to collaborate with risk colleagues, to have regular, ongoing, continuous risk assessments. The focus of the risk-based plan, in my opinion, must be the corporate risk register. I know public sector risk registers are mixed, but I take the view that as heads of internal audit, we should be the conduit between the directors, risk managers and members to ensure that the corporate risk register is accurate, complete and the future risks have been identified.

As heads of internal audit, we need to be braver and have those discussions that say to management and audit committee members that we need agile planning, quarterly or continuous plans that are focused on high risk areas.

At one of our partners, the audit committee now feels better informed and better connected with the organisation’s risks because of quarterly and continuous audit planning.

How have we gone about it? Before COVID-19 we had prepared a six-monthly audit plan that included a simple priority column – high, medium, or low, as well as a time indication – earlier or later. This was done with the aim of moving more to agile planning, for example not fixing times into quarters, but having a backlog of audits that are picked up when the business is ready.

Following COVID-19 we noted that even this was not dynamic enough, and have now moved to present quarterly plans, although, in reality, audit planning is now a continuous process. This enables a much more responsive approach to emerging issues, risks, and central government changes. So, we will present high-level quarterly plans, but even between these we will be constantly liaising with senior managers, identifying new priorities as well as checking back in with our original six-monthly plan. Going forward, we will produce quarterly plans and, more importantly, we will review the quarterly process updates which will detail what we have covered as well as linking this back to cover key risks.

As an organisation we are moving to dynamic, continuous quarterly planning and will be able to demonstrate by dashboards where we are providing assurance against the key risks.

In conclusion, I believe that annual plans are obsolete, they are ineffective and try to tell a story at a point in time that is inaccurate once that ink is dry. Apologies if you think I am too controversial, I intended to be just to start a debate.

Speaker 1 slides
 

Institute's comments

One of the things that the Institute is aware of is the lessons learnt through the last 20 plus weeks and moving forward what we need to do to change the way that internal audit works, to change the way we think so that we are more forward looking.

The need for an annual plan has diminished, internal audit needs to be responsive to stakeholder requirements and requests from across the business. By putting a 12-month plan in place, we end up making so may changes to it that at the end of the 12-months it bears no resemblance to the 12-month plan at the beginning of the year. It, therefore, becomes a mechanistic process.

Assurance maps were also mentioned, these are something that we all need to look to.

The audit committee where you take your assurance map, your strategic plan, your operational plan, and our charter is that pivotal meeting for the year ahead. The strategic plan is showing foresight, horizon scanning, etc., the operational plan, the three-month plan, the six-month plan is the here and now – what are we going to do, it facilitates a conversation.

When the Institute undertakes external quality assessments (EQA’s), we summarise annually the findings from all of the EQA’s. One of the constant themes has been operational planning – it isn’t always a professional strength in terms of the approach, format and focus.

Now is the time to look at what we do as heads of internal audit, think about how we plan, make our planning better and think about – do we really need a 12-month plan? With all the uncertainty coming down the track – you will spend your time making changes and amendments to it – I endorse what our speaker has said, but at the same time, appreciate that some will still have audit committees that look for an annual plan. Let’s see if we can persuade them that there are alternatives to an annual plan that give them assurance about things that matter. 


Participant invited to share their thoughts

We found the longer audit plan tended to be a waste of time because it changed so much, all that effort was wasted. In terms of EQA’s, we had one about 18-months ago and one of the recommendations was, to help with overall assurance planning and to help resourcing decisions on group audit, we should at least have a one off exercise to look at that risk coverage across the organisation. We did that recently, so how useful that will be, we will have to see. In terms of ongoing planning we are moving to shorter term periods to be more flexible.

Speaker 2 – Virtual auditing

I lead a team of outsourced internal auditors and service approximately 40 audit committees. Pre COVID-19 my work would be generally in line with regulation and legal requirements with internal auditors on site, with quarterly reports and quarterly meetings with audit committees.

We would have prepared annual internal audit plans, but there would have been intervention during the year to change them, so I can see the point being made that the plan becomes quite confused when you are regularly changing them.

We now include the following statement in our audit reports:

“Our work was fully completed on a remote basis, enabled by enterprise video communications, secure data portals and other digital business supports, and, was suitably aligned to standards and work practices as promulgated by the Institute of Internal Auditors in this regard. More specifically, under Performance Standard 2300, as issued by the Institute of Internal Auditors, internal auditors must “identify sufficient, reliable, relevant and useful information to achieve the engagement’s objectives.” In meeting this Performance Standard, appropriate checks are made to ensure the integrity and provenance of source documentation received through digital channels.”

Planning – if internal audit is risk-based – we have a universe of work programmes, we have rapidly and radically changed our themes to include COVID-19 relevant things, such as remote working, financial projections, arrears management, etc. a range of new thematic areas to focus, so we have rapidly changed all of our plans to try and adapt and become relevant The planning enables us to show that we are relevant, we can give you insights, we can give you advice and assurances on areas that are very relevant for your business, we can provide control improvements on those critical areas.

Delivery – technology is there, it was always there, we have now just become more aware of it since the pandemic. We have changed people’s perceptions to see that data portals and Zoom is an acceptable way to do business, to do our job. To me, the delivery was both a technological challenge which was easier to do, and a psychological challenge which was harder to do. Getting the audit committee comfortable using Zoom so that we were able to talk to them was a challenge.

Engagement – I was driving 1,000 kilometres a week, now this is 10 kilometres a week. I am ‘Zooming’ in around the country, meeting my clients a lot more frequently, than I would of in the past. We are trying to give insights into the rapidly changing economic environment.

I would say boxes one and two would be potentially defensive and boxes three and four could be more of change for the better as we try and improve and use this as an opportunity.

The mission of internal audit is to provide assurance and also to give insight. Now is the time that our clients need insights, so we are now invested in doing smarter things in the new way.

It is all in our mindset, our perspective – that change must come from within – we must reimagine and rewire what we do, and how we do it. To me the key words are – relevance in what we do, we must have insight into what is going on outside the four walls of our clients and use enhanced engagement that this situation now provides.

The mission is to provide assurance, advice, and insight – I think those three things are needed now more than ever, particularly the very last word. To me, the mission has not changed, it is how we do it, how we change people’s perception of what we do, and the way we will deliver it. It has been a very interesting, traumatic, dramatic but very rewarding journey. I now think we are more efficient, and we are more proactive than we have ever been, completely out of necessity, but out of necessity comes opportunity.

Speaker 2 slides
 

Chair's comments

In reference to slide six, you mentioned planning, delivery (defensive/survive), engagement and insight (proactive/thrive).

This is a lot of what we have been talking about in previous weeks, about survival and the defensive mode of dealing with COVID-19, now it is more about stepping forward.

In a sense you could argue that the firms are positioning themselves for an offensive on in-house audit functions. What our speaker has described is that they have managed to be exceptionally agile, deliver the same service if not better, create more time for insights and at the same time improve the engagement with clients as well.

From an outsource perspective that is a great place to be, from an in-house perspective that is not a great thing to hear - we need to try and defend ourselves here.

As internal audit functions we want to do the best we can for our organisations, we have to be aware of what is going on around us, in terms of our peers, best practice and in understanding other organisations who might do it better than we can do it. I think slide six encapsulates this, we have been defensive, we’ve held on to what we have now we must move to the new space for the future. 

 

Institute's comments

It makes sense, the added value from internal audit insights, this is one of the things that the Institute is currently talking about.

Wasted time travelling across the country, across the globe when we could be spending that time looking at research and development etc. is inefficient. There is a lot in the here and now and the recent past that we need to keep hold of and take forward, ‘bottle’ it (to use a term used by one of our participants) for the future and make sure that we make the most, as a profession, of the opportunity COVID-19 has offered us.

We have the opportunity to do more, to do the things that perhaps, we would not have had the time to do in the past. It is about utilising every moment of time that we have to take the profession forward into a new normal, a new world.


Participant invited to share their thoughts

We have a commitment to go around all our business units, our cyclical coverage is to visit each one every two years. Within that, what we take to our quarterly audit committee is down to us based on our engagement, our risk reviews. We do have the flexibility so we can change as we go through. I think the challenge is the resource management. We do need to look beyond quarters but I think the ability to change much more quickly and to use the agile phrase, to understand what we face and then have the autonomy to make those changes, with the support of the audit committee. I think that is working for us and has worked very well for us through COVID-19.

Participant invited to share their thoughts

The discussion around planning, someone probably needs to explain this to some of our stakeholders in Europe, as some regulators e.g. the ECB require a three-year plan and get rather agitated when they do not receive one of those. In Financial Services, given the SMF (senior management function) responsibility, it is quite hard for the audit functions to say, don’t worry we will cover everything that we need to. I think there will be a need for more work to be done before we can get away from an annual plan, although like others, we tried, to get to a more agile plan.

I think the other thing is when you have got resourcing constraints, and the risks in organisations are changing quite dramatically, as they have done in COVID-19, you have got to go through some form of exercise to try and understand the quantum of what that change is and how you are going to be able to provide that assurance. If you believe that you are going to determine your budget based upon the assurance that you need to deliver, then you do need to go through some form of exercise to quantify that.

Moving to the second presentation how you move effectively from your old way of operating to new. I think it is clear, as was said, the importance of trying to add value. The opportunities we’ve had during this time, to add value and for me the important bit about how we go forward, is the relationship with the business that has substantively changed and how do we ensure that we continue to effectively drive more value for the organisation as a whole.

Participant invited to share their thoughts

Within higher education there is a sector group for chancellors and presidents. They had an audit committee handbook that they revised over the space of the last two years. Disappointingly it still assumes and puts forward as best practice, that you still have a three-year plan. As a member of an audit committee I can see the need for wanting some assurance over a timescale, but not for a rigid, set in stone, three-year audit plan. What goes through my mind is the need to try and influence these people, not our own audit committees who report into this sector group, but all of these advisers and influential people who feed in on the background. How can we get to them, to keep them involved in the latest professional thinking?
 

Chair's comments

Thank you to the speakers for sharing their working practices, lots for all of us to consider I am sure you will agree.

We now have an agenda that shows the topics and running order for the coming weeks, however, depending on the availability of speakers the running order may have to change.

Over the course of the next few sessions we are keen to get people engaged in sharing their views, it does not necessarily have to be with slides. We want to get a view from anyone on the topics that your function, or you as an individual think can add some value to this community. If we have a strong community that works well, it is only going to be because of the input that everyone provides.

For the data analytics session that is coming up, it is a subject that again has a wide variety of take up - we will have some good practice and some not so good. For this next session I am looking for approximately six examples of good application of data analytics (anonymised) that people are willing to share. If you are willing to share some information please let me know derek.jamieson@iia.org.uk.

We are trying to widen participation in the forum, if you are aware of any head of internal audit that hasn’t been part of this and may be interested please let them know, ask them to contact: Liz Sandwith (liz.sandwith@iia.org.uk) or Derek Jamieson (derek.jamieson@iia.org.uk). and we will invite them to participate.

Finally, as today’s session draws to a close, I would like to thank you all for attending and for your questions and contributing to our discussion.


Chat box comments from attendees

Does anyone work with regulator expectations of either an annual plan or a 3-5-year cycle where the audit universe must be covered?

  • I use a 6-9 month rolling plan, updating as I go and informing the audit committee at each meeting what has changed. I have seen some outsourced providers however still stick with 3-year plans.
  • We have a 6-month internal audit plan - a game changer for sure.
  • We dropped our 3-year planning a number of years ago, focusing on an agile/flexible annual plan. But this year we were asked to provide a 3-year outline plan to assist with assessment of longer term risk coverage and aid resource requirement decisions.
  • We have a mix - there are areas like safety where there is an expectation of coverage over 3-years. However, our normal plan is a rolling one with decision gates and plan entry criteria that drive items from the backlog into the execution funnel. Current and next quarter are in execution - following 6 months are 80% firm and then we have 50% firm 6 months that look out and 12 months looking at risk coverage. We are looking at risk storyboards to help coverage and agility.
  • We use a six month 'plan' which is very flexible. Unfortunately, a sector interest group has recently revised its guidance for audit committees and sadly still refers to 3-year plans (despite our best efforts to persuade the author otherwise).
  • Is the solution the best of both? An annual plan, but the mandate from the audit committee to flex the plan on a comply or explain basis.
  • In the prudential risk area, there are mandatory reviews we must perform to support the production of regulated documents for capital and liquidity - they expect these annually.
  • We have set up our current set of audits, reviews and advisory work on an electronic Kanban board which allows us to review workload, backlogs, and new items on a weekly basis.

Agree with the sentiments entirely.

I agree, and it is important that risk registers are kept up to date to enable our plans to be flexible.

In my role I use a 'long list' risk-based approach, similar to what has just been described. I have seen similar benefits to the ones described, including a better recognition of the value add and being seen as a trusted partner.

Assurance maps are so key and a useful tool to demonstrate to board members that they are getting information on everything they are concerned about - not just valuable for internal audit to help drive our work.

I think there might be challenges on this approach if your internal audit is completely outsourced to a firm given the typical length and pricing of contracts in the firms. However, that said it might support this as a solution more as the resource base and therefore technical expertise is much greater than a typical inhouse function?

This surely resonates. I also see an opportunity to get external benchmarking and best practices to add value in how others are managing the control environment.

We have 200 locations around the world, using virtual conferencing has increased during COVID-19 but was already being used beforehand.

Love that slide (p6) – second presentation.