Q1. Institute: Do you (HIA) have a clear view of where the value, in internal audit, it going to be, after COVID-19, and a road map that will raise the profile/bar of internal audit and enable it to add value to the organisation?
It is important I think to embed an understanding and appreciation that auditors never come without a reason - this would normally come from excellent alignment on risk appetite. What happened to that appetite during COVID-19?
It would be interesting to understand why contribute doesn't equal doing audits.
For me in the short term it's about helping the business ensure that the good stuff, like greater agility, more remote working and the like stick and we don't fall back to old habits like travelling for all meetings and we hold the same mirror up to ourselves and our ways of working. Longer term it is about the audit universe and where the greatest risks are.
I sense some audit committees and CEOs may want more of a back to basics campaign - recognising other sources of assurances may be hampered (eg disbanding of 2LoD assurance work). Whilst the trusted advice aspiration is noble and I’m keen to do it, do others anticipate coming under pressure to focus on the basics - giving assurance that core controls are happening as they should?
I wholeheartedly agree with the Panellist and the Institute’s sentiments...it is vital for us to step up and demonstrate real added value to our key stakeholders. How we do this this will vary from organisation to organisation - and not just talk about it...
That is the very reason for which we instituted monthly reviews of critical processes and controls. We want to automate it as much as we can now, to make sure it doesn't take a lot of bandwidth and enables us to support bigger cases.
I agree with the sentiment expressed. Balance of assurance over emerging risks and existing risks that have increased because of the current situation whilst also balancing providing risks/control input to revised/new processes will be an ongoing balancing act.
Q2. Institute: What role should building/re-building internal audit have in helping you (HIA) accelerate your ability to provide assurance around new and emerging risks whilst not forgetting existing business critical risks eg cybersecurity.
Good point re desktops. Also, it will be laptops with cameras - some of my team currently have laptops, without cameras, as they were cheaper.
Change management policy and processes are definitely at the heart of the new assurance plan.
We need to ensure that business resilience measures are built into risk registers - not merely looking at current controls.
This is our opportunity to show the value we can add - keeping in touch with the response and recovery plan at top level of the organisation is key. Identify proactively where we can provide support.
Auditing in the future is a good concept...looking at current controls but also resilience too - perhaps an objective view of this in terms of staffing, IT, stocks/inventory of key assets, process resilience for remote working etc.
One point I am conscious of is starting the audit plan from a blank sheet. Areas where I was historically very comfortable in terms of the robustness of their control environment will need a re-look to see if things have changed. My prior audit results and historic data will be a much smaller influence on future priorities than it was previously.
Q3. Institute: How can you (HIA) lock in the benefits of a more agile operating model to increase value add, coverage and level of assurance provided to the business?
I'm pleased you’re conducting audit work in an agile way without the need for tiresome and painful jargon.
I share the panellist’s concern re how we give assurance on critical life and limb processes – it is a real challenge for us at present. I completely echo the challenges re PPE too!
In a public health utility - the offer of help from internal audit to support front-line emergency really has been welcome.
Q4. Institute: How should you (HIA) rethink your talent strategy so that you (HIA) have the people you need when the recovery starts eg expertise around new risks, ability to understand lessons learnt models etc.?
Fair point - assurance in the old world may now be out of date!!
We have five questions that we will be discussing today, and putting to our two guest panellists, each panellist will take two questions each, the final question, will be answered by the Institute’s Interim CEO.
Q1. Do you (HIA) have a clear view of where the value, in internal audit, is going to be, after COVID-19, and a road map that will raise the profile/bar of internal audit and enable it to add value to the organisation?
The answer to your first question, do I have a clear view, the short answer is no I don’t but I’m sure you will want me to elaborate on that. I have to say, I have more clarity in some areas than in others and equally I must admit over the last six weeks I have changed my views on what the future might hold and what it doesn’t hold.
So if I may, I might break it into three sections, the immediate issues that face me, the ones that I think will face me over the next year and then maybe a more strategic future outlook on how we can add value after COVID-19 and indeed do I have a road map.
I suppose the first thing that immediately I am very conscious is that in our unit we carried out audits of BCP (business continuity planning) and cyber security in the last six months and of course I was very curious to see how those audits coped with the possibility of COVID-19 that I never imagined would come along. I have to say that, at this point, there is a difference between unprecedented and unimaginable. I think we’re all beginning to see the difference between those two words very clearly, I’m having to cope with both in my ‘mother’ department and the ‘sister’ department that I also audit; how are the internal controls at the moment coping with emergency purchases, emergency procurement which, by definition has broken a few rules already and I am conscious of that.
People in private sector companies will be more familiar with supply chain issues which really don’t hamper me so much in a public sector department. I am unclear at the moment as to how, or if we have the technology to support remote audit working in the future. They are my immediate thoughts. Over the next year, which you might call the start of the road map, I have certainly come to the conclusion that we should focus on proactive reviews that will provide more advice and consultancy or equally as much advice and consultancy as it does assurance. I think that we need very carefully to make sure that we are seen to contribute to business not to inhibit business, and I think that is a big big danger. I think that people could look on an internal auditor coming in, maybe in a months’ time, and “saying do you not think we have enough to do without having you in here as well?”, so I think that is a risk.
I think our main jobs in the next month or two could be gap analyses on BCP, gap analyses on crisis management and of course thinking about our future in the unit around travel, on-site audits and e-Tec options for audit.
Finally, from a future strategic point of view and I apologise for using the term ‘new normal’ I think the first thing every organisation will be doing will be re-evaluating what is on the risk register. I know that people are saying there are emerging risks, I don’t think so much that they are emerging risks, it is just that the risks that are always there have turned out to be unprecedented and unimaginable which is a big difference, in other words we’ve all done BCP, we’ve all done cyber security audits but we never every thought that they could last for more than a week or a few days and that’s the place we are now. So, I think we will have to re-evaluate and re-prioritise risks, including those ones that are changing, if you want to use the word ‘emerging’. I don’t think that the risk registers as they stood two months ago really could forecast the source of the risks that have now come to fruition. I think, as I have said already, we will be increasingly more the ‘business adviser’, rather than a pathologist, going back and saying where we went wrong. I think we need to have in the internal audit space a more critical review of risk prioritisation.
They are my general thoughts at the moment. Just as an anecdote, we were in the course of what we felt, was a very proactive audit review in our unit in the last three months, which was a review of culture. We literally got the interim report from our consultants on 15 March 2020. Now I wonder, a review of culture, when we were all sitting in offices, when we could walk up the corridor, it's almost as if we need to start again. So, that’s an interesting problem for me to re-energise this review and to try and work out will it have the same essence.
Interim CEO comments
A few observations from a CEO perspective: I like the words proactive review, contribute to business, not inhibit business and that really strikes a chord with me. The other thing that strikes a chord is the word ‘business adviser’ because clearly, as any CEO in this position, we are all living the same thing, but as CEO other things for me to consider include people, liquidity, the balance sheet and transformation.
There are a lot of things going on and different time horizons. It is very useful if somebody takes away the ‘to do’ list in terms of thinking and comes in to me and says, these are the sorts of issues that you might want to think about because we’ve all got bandwidth issues at the moment and this sort of structuring is most useful from the perspective of a CEO or a board.
It does depend hugely on the maturity of the internal audit unit and the maturity of the organisation in which you are faced. I see one of the participants today who carried out an EQA on our unit and they know that maybe five years ago we were not in the position to offer advice as much as we think we are now. Just an observation.
Some really great thoughts and from an Institute perspective I couldn’t agree more.
I’m hearing regularly now that organisations are expecting their internal auditors to contribute to the future sustainability of the organisation. That’s not necessarily getting bogged down in doing audits, when the organisation is focusing on recovering in terms of revenue generation, in terms of loss of customers etc.
So, I think it is really important that we add value as internal audit by being able to be flexible and agile, but being able to recognise what our role is within the organisation, the CEO (John Wood) talked about ‘trusted adviser’, but also recognised that we need to support the organisation moving forward.
In terms of a road map I think that I would be expecting, as a chair of an audit and risk committee (and I have said this to my internal auditors), I am expecting them to tell me what the next twelve months looks like from an internal audit perspective. Where do you foresee spending time and is it in the areas where we, as an audit committee would want that level of assurance? I think that is exactly the questions as internal audit we should be asking of our audit committees.
What are the risks that concern you, where do you want us to focus the level of assurance we provide? As an anecdote, the organisation where I am chair of an audit and risk committee did a BCP test in January 2020. The test they did, or the scenario, was a pandemic and I remember us, as the audit committee saying, “well we thought that was very overly dramatic and why on earth would you think that?” With hindsight – very sharp!.
Q2. What role should building/re-building internal audit have in helping you (HIA) accelerate your ability to provide assurance around new and emerging risks whilst not forgetting existing business critical risks eg cybersecurity?
I was starting my new four-year internal audit strategy in December 2019 and indeed it is going to change an awful lot now because of the new or severity of these new risks. The principles around the changes that I will be making I think are around flexibility – flexibility of our staff, flexibility of the way we carry out audits and how possible that is.
This may not be our last pandemic or certainly our last unprecedented surprise so I think in our unit particularly, we have tried to formalise communication a lot more than it was before, when I could just walk down the corridor. We have regular meetings now, on a weekly basis, in fact more than weekly. We are checking in on each member of staff, it is not just from an audit issues point of view, but also a health and wellbeing point of view; are they coping with sitting in a room at home, perhaps particularly if they have children or other needs that they have to look after. So, more formalised communication I think within the unit, with risk managers, with peers in the organisation and that’s all done by way of these telecommunication links we have now. We have peer groups in our organisation and other informal fora, and we are doing it much more often now than we did in the past.
I think that the health and wellbeing of the team is going to be a major issue to try and work out the technology that we are going to use in the future. I can see for instance that the future sales of desktop PCs is going to plummet and that sales of laptops will increase. Who will want to have a PC sitting on a desk, in an office you never visit or that you are not likely to visit very often? So not so much the new emerging but the severity.
The old risks won’t go away, there’s no doubt about that, but I think we will look hard at how we prioritise them and put them in context against what has now turned out to be far more serious areas.
So, to finish, what would be my focus – continue with BCP and that could be for instance, as I said earlier a gap analysis around how BCP has worked so far, I think telecommunications. I have no doubt that in a years’ time Zoom will be a far better tool than it is now and I think we all need to be ready for that and ready to use it.
I have already re-deployed five of my staff who are going to carry out ‘contact tracing’. So, I am losing some staff and I must admit I am not losing as much of the audit requirement as I thought I would lose six weeks ago. I thought that six weeks ago management would come to me and say, “listen we really don’t want to see you for a couple of months.” In fact, they have been quite eager to bring us on board and to keep audits going, particularly in one of our departments, perhaps more so than the other. So, I need to look at re-deployment of staff but look at it on a short-term and a long-term basis.
Finally, the other thing that struck me was that in a crisis I think practice comes ahead of policy, in other words, there are changes to business processes that run ahead of policy, that run ahead of governance. I think we are going to be doing a lot of catching up in the next two months in the terms of the practices that we have justified because of the crisis, and catching up in terms of putting in processes and polarising those processes. Again, at the risk of repeating, my message would be contribute don’t inhibit, give timely advice and let’s look at how we prioritise our risks again.
Interim CEO comments
There were some interesting outtakes on your thoughts and what you are doing, particularly in relation to not losing as much of the audit requirement as you were expecting and re-deployment of staff. It is interesting that you are re-deploying to, obviously, what is a key area given the current health crisis, which reflects on two key words ‘pragmatism’ and ‘priorities’.
I would like to look at the first couple of words of that sentence about the role around building and re-building internal audit. I absolutely agree with what our guest panellist has said - risks we need to know about - understand the new ones, but don’t forget about the ones that are already there, but perhaps reassess them through the COVID-19 impact.
I also want us, as internal auditors to re-think how we do things. So, you know the methodologies we’ve used that go back twenty plus years – now is the time to think about doing things differently, how can we do things faster, how can we provide the assurance that our key stakeholders are looking for, but at a much more rapid pace than we do now.
Audit committee members say to me frequently “internal audit does a brilliant job; you do your fieldwork and then it takes us six weeks to get the report. Can you not give us something in forty-eight hours?” I think those are things we need to learn, in terms of the lessons from the here and now.
So, how do we get our messages out? How do we communicate faster and how do we provide the level of assurance our stakeholders are looking for?
Interim CEO comments
I have seen an interesting question on the chat box. Can I ask the writer to expand on the point that you have made around ‘change management policy and processes definitely being at heart of new assurance plan’.
The point I raised is around the importance now of change management in the organisation and really picking up on what your guest panellist said earlier around the fact that, coming to my table at the moment is a huge amount of new processes. It is fantastic that we have been asked to get involved in it, but you know, that is shaped across the three lines of defence and ensuring that it goes up through the proper governance structures at this time is important, because we could be in line for a huge mess on the fireside. I think that if we can have conversations around the importance of change management and consulting with the right people across the three lines of defence. I think at this point it will be very valuable in, I suppose, preventing that mess on the fireside.
I think that the above comment is absolutely right. It is brilliant that we are being asked to contribute to policies and procedures that the organisation is making, but I also think that our guest panellist was also correct. The organisation will be making decisions now that we don’t have policies and procedures or even controls in place to ensure that things go according to plan.
I think there will be a lot of catch-up and, although I don’t know, I would guess with the response above, even if they are going through policies and procedures, they are probably already implementing them and we’re playing catch-up.
But I think it is important that internal audit is available to help in that space and then potentially available to help correct things that are perhaps not as one might hope they would be when we come out of the other side of this a bit.
We are all aware of the anecdotes to support that. Our organisation has purchased PPE and other items, broken every procurement rule in the book and indeed aren’t quite sure where some of where the money has gone. So, when we do our postmortems, in as such as they are helpful, these are going to be issues to be faced afterwards and the whole supply chain area, in other words, so that we are prepared for this in the future, so we don’t have to be doing emergency procurement, will be a lesson learnt - with hindsight it is easy to say that.
I think that is a really good point as I think that a similar kind of thing is going to happen here, not so much from a cost, but they were saying on the news today that the Nightingale hospitals that were built rapidly to take the capacity are now being put on hold or ‘mothballed’ I think was the phrase and I’m sure somebody at some point in the future is going to say did we make that decision too soon, but if we waited would it have been too late. So, you have that balance in a crisis in terms of coming up with the right decisions.
One of the organisations I was with, one of the phrases that was used a lot was ‘no regrets’. When you are in a middle of a crisis, especially when it is a humanitarian one, sometimes you really have just got to push the boat out, you have to do everything you can, but you try and do it in as a controlled manner as possible. I do think that is actually where the lesson learning from this will be really good, because you’re not necessarily learning lessons about how you make decisions in the future, coronavirus pandemics, you’re learning for any unexpected circumstance that hits you.
I’d also like to make another point, that, I think reflects what has already been said, I do think that internal audit has an incredible potential to challenge the business not to just go back to what it was doing before. I know that is going to be an issue for my organisation. It is very easy to just say, “oh well we just pick up where we left off in the middle of March.” But no, we have shown that we can do things differently, we’ve shown that that can have a good effect and lets hold onto the good things about the new world, while we’re trying to fix the things that we would rather not have happened. I guess it is the opportunities as well as the downside risks.
Q3. How can you (HIA) lock in the benefits of a more agile operating model to increase value add, coverage and level of assurance provided to the business?
I should start by explaining I am one of two auditors; we are the classic small audit shop, we have some projects delivered by a co-sourced partner and we occasionally engage specialist contractors on an ad-hoc basis.
Our small size has essentially meant that I suppose, agile has always been innate in the way that we work. We don’t apply a framework of huddles and scrums routinely, we have contact with each other, sometimes daily with our co-source partner, depending on the project that we are working on. Like many organisations in our sector the goal posts move, none more so than at the moment and the priorities and objectives that we have to adapt to and that means we have to move on the scope and the objectives to ensure the value from our work and if that is necessary, we will do it.
We have a mechanism to reach out to the audit and risk committee at short notice if this needs to be done, if there is a material change to any of our plans. So, all the time we are looking at being agile and I suppose, I keep changing my mind about this, the pandemic has seen us follow guidance by the HSE (Health and Safety Executive) to ensure the safety of the people in our services as well as our colleagues, and our focus as an organisation is on maintaining the services to the people in their private homes, in our residential settings. Many of those service users also have complex underlying health conditions, so they are of considerable risk from COVID-19 and, as a result, everything that the organisation does is focused on that and we have had to adapt an awful lot around holding back from audit work that would impact on people providing critical services.
Also, on the other side we have had to contribute with help around policies and procedures. Circumstances have arisen in the last couple of months that have required us to review those and that is where, as internal audit, reviewing those policies and procedures we are acting in an advisory role. To a certain extent it is probably going a little bit beyond just advisory and we are having to be a bit more forthright at times, to make sure that we are giving people the tools to support the people in our services but also to protect the organisation.
As far as internal audit being agile our general approach so far has been to review the plan, I think this is going to be common to many of you, reviewed the plan for this year, rescheduled audits. In the early days I had my colleague reviewing the audit manual and updating the processes. Another interesting little piece of work that has come to us in ‘standby’, is delivering PPE to our services. That is simply if we need bodies on the ground to get PPE purchased and maybe needing to get it up/down the country, wherever it may be, we are on standby to do that. It comes back to the issue of what are the priorities for each individual organisation or the sector you are in and something as simple as that could ultimately be a matter of life or death and we are trying to adapt to that.
Another area that has come from this, like many care providers we are having a tight staffing situation, whether that is down to self-isolation, general illness, or childcare problems for some of our colleagues. We are having to recruit quite quickly, so again, an area we have tried to look at is trying to provide assurance around the employee background checks, the vetting, the induction training. We had already moved to an online induction training which has been quite helpful in this situation, but again, it is adapting to what we see as the priorities in the organisation and trying to support those, being at times advisory and others just being an extra pair of hands to keep the show on the road.
Overall, whilst I think we are a small, agile team, we still look to be adaptive and flexible, locking in the use of virtual meetings – for us it is Microsoft Teams. We are going to further develop that understanding and the trust of the ICT team, which was always been okay, but actually, in the last couple of months it has really strengthened. I suppose internal audit has been seen as the supportive voice of the initiatives that they are taking, so we would like to build on that further and for me personally, it is to re-emphasise that after the pandemic, we are a source of advice and in-house consultancy; when all the dust has settled on this and we can be approached around the re-building whatever the ‘new normal’ is.
Interim CEO comments
That makes it very immediate and real and a matter of life or death and really brings it home as to how internal audit are helping front line staff and the issues and challenges your organisations are facing. Thank you for sharing this with us.
Institute’s responseAbsolutely, I agree with our guest panellist. That for me was "agile" beautifully demonstrated in a scenario where the guest panellist and their organisation is dealing with vulnerable people across the country. I think that is exactly the role that internal audit needs to play at moments like this. We’ll look at it afterwards, we’ll analyse, we will investigate, we will review. The only thing I would add is that taking your audit committee chair with you so that they know what you are doing is money in the bank for the future. So, I would just add about the audit committee chair.
At the start of all of this, one of the first things we agreed with our audit and risk committee was that in principal, they were agreeing to us doing non-audit work, but the mechanism was, that I would reach out to the chair as a request comes in and we will get the yes or no literally within the hour, that’s the agreement that we came to.
Interim CEO comments
What is clear to me is the shortening of communication chains, in that timescales shrink in a crisis.
Six weeks ago, before this pandemic short term was three months, medium term was a year and long term three to five years.
Six weeks ago, short term is - today/tomorrow, medium term - this week/next week and long term - the end of the month.
As we come out of the immediate crisis and go into the recovery stage, thinking about re-building perhaps now timescales have moved to, short term is two months, medium term is six months and long term is two years.
It is amazing how elastic timescales are as we go through this crisis.
Q4. How should you (HIA) rethink your talent strategy so that you (HIA) have the people you need when the recovery starts e.g. expertise around new risks, ability to understand lessons learnt models etc.?
As I said a few minutes ago, being a small team with some co-source partners, I think the resources we use, I don’t expect to change, but the mix of those resources may well change and that is going to be depending on any new strategies that arise from this, being led by the board, what will change from our own risk assessment within internal audit and it is trying to balance that altogether. That is the difference for me, the area I have been thinking about over the last few weeks is also where we may have to second-in some in-house expertise, whether that be in health and social care or our learning and employability divisions. We might also need to place more reliance on the second line of defence, particularly quality and risk management functions, but that is an area I need to explore a little bit more and discuss with the audit and risk committee to make sure they are comfortable with that.
Another interesting element of our organisation is that we also have a division that is a social enterprise and the whole mission is to try and create employment for people with disabilities of varying types. There are different operations around the country, some are more like a cottage industry, others with specific key skills provides support to multi nationals in particular areas. But one of our operations was on the news only a couple of weeks ago because they actually make PPE. Traditionally they would import material and their customers would normally be painting and decorating contractors, maybe the cleaning/laboratory type suits that are needed. As you can imagine the number of orders received over the last few weeks and they are trying to up-scale. An interesting thing for me is, we are having to think, do we have the necessary skills or depth of skills to support them in an increased scaled up manufacturing setting, which is different to what we had been used to for the last number of years. So, this is something I will be looking at to try and get some training for myself and my colleague and in the immediate short term it is probably going to be contracting an individual, that I know that comes from that background and could lead a particular project. It is almost the traditional risks for us there, those risk exposures are increasing and that is everything from stock supplies to having appropriate credit controls, the actual stock management itself, the amount of capital that we are tying up, so in many ways it is a classic audit risk, but it is a bit of a departure for us, because this is one part of the organisation and it is taking prominence over other areas in the last few weeks. So, just an example of how something can change so quickly.
Interim CEO comments
I think we are all trying to catch our breath at the moment it is incredible how things have changed in a short space of time. It was also an interesting point in that tradition risk exposures are increasing in what is notionally 'business as usual'.
Institute’s responseMy takeaway from that was the point that was made about the relationships they are building across the organisation, because I think that will help internal audit as we move forward into the new world, whatever that looks like because we will be able, having built those relationships in times of crisis, rely on colleagues, perhaps to help us understand some of the challenges around risks, some of the new processes and protocols that the organisation is adopting and I see it as being much more of a ‘working together’. Now that is not compromising internal audit, but I see us as working much more closely with the organisation to deliver both our assurance and the organisations goals and objectives and mitigate risk.
Q5. What investments are the most necessary to create the technology environment that will allow the organisation and internal audit to thrive in the next normal/future, have you prepared your business case?
Interim CEO comments
This is addressing me as a CEO.
The first thought won’t be a surprise to anyone. A new normal with continued remote working.
My first requirement as a CEO is to have secure communications technology. We need to address the cyber security threat and I can see this builds on Guest panellist 1’s point.
The next, for a CEO working in a consumer related business or a business producing things in particular, but it could apply to many different areas and it is about uncertainty. Uncertainty in our end-user markets. There is likely to be very significant disruption and clearly in an agile environment I need to understand my markets. So, this is why technology investment in data analytics or anything that means that I can get information about my market environment, in my view is absolutely vital.
Third, I think there is going to be an increase in mergers and acquisition activity within the private sector. Most businesses will have to rebuild balance sheets, revenue streams, profitability. There is a lot of pressure on a CEO to get value to provide shareholder returns. I know that doesn’t apply to everyone here, but to this end diversification, buying cheap assets, buy and build are likely.
Could I briefly have the Institute’s thoughts on mergers and acquisitions?
Institute’s responseI think this is where internal audit can help with due diligence, whether we are merging, whether we are acquiring. Look at the organisation, look at annual reports, look at data available, analyse it and make recommendations to the CEO and the board in relation to the information we are being provided with, to ensure it is not mis-information which means that we make the wrong decisions.
Interim CEO comments
Finally, there are some technology megatrends that are established, I could mention AI (artificial intelligence), internet of things, but in a disruptive transformative world. Whatever is already happening will go faster and we need to be prepared for that. The final question is very technology focused and technology is only one asset. Our biggest asset is still people and to re-build we have got to re-build liquidity and retain, and re-build and, recycle assets. As I have said our biggest asset is our people and it is only through recognising people as well as everything else that we will regain confidence and emerge from recession.
As today’s session draws to a close, I would like to thank you all for attending and for contributing to our discussion and a special thanks to our two guest panellists.
We are very keen to get your feedback about this forum, in terms of both format and content. This will be invaluable for shaping future meetings and making sure they meet your needs. So please do share any thoughts to Liz Sandwith (firstname.lastname@example.org) or Derek Jamieson (email@example.com)
And of course, we will happily take further questions outside this forum as part of our ongoing approach to the COVID-19 crisis – so please do get in touch if there’s anything else we should be looking at!
We have a substantial number of very experienced HIAs on the call, if any would like to volunteer to put themselves in the mastermind seat that would be gratefully received.