Heads of Internal Audit Virtual Forum | Key takeaways

8 April


Please note:

  • All Institute responses are boxed and highlighted in blue.
  • All delegate/attendee comments/statements/replies are un-highlighted and un-boxed.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

Chat box and attendee comments, questions and actions

1. What are your key concerns/challenges for when we start to come out of the lock down and return to a ‘new normal’ way of working?

The challenge is to make sure management utilise ISO 9001 Plan Do Check Act (PDCA) process for emergency control overrides by thinking logically:

  • For how long override is needed, when and how to return to normal (P)
  • Implement emergency process (D)
  • Check that the override process works as intended (C)

Monitor emergency process at least in a basic way and monitor conditions to see if the process can return to normal.

This will hopefully allow a more structured return to normal by having a record of what is changed and when. It also will allow for a robust after-action review we plan for when it’s over.

Going back 'to normal' - how do we decide in the first place it’s time to go back?

Once we are back though, certainly cuts to the internal audit teams is a huge concern. There is a lot of furloughing of internal auditors in our sector right now and many in the sector have been asked to rescind job offers and/or cease their co-source arrangements to save costs. I worry this will impact the capacity and also capability of internal auditors to deliver audits – especially where these need specific skillsets not in in-house teams.

Specific assurance work over supply chain in response to COIVD-19 – there is a risk that a number of our suppliers won't be there/ready when we need them to be.

We are doing a contracts and procurement review (off the back of supplier management last year) for this reason and to look at costs.

We are implementing continuous assurance process over key supply chain transactions

Same here + a COVID-19 special observation (credit decisions, business as usual, management information and COVID-management information, cost saving initiatives, suppliers, payments, etc.)

New normal in relation to increased use of electronic documentation, time stamps, more use of video fieldwork - we have engaged legal counsel in this regard, as well as our audit co-source partners.

2. Are audit committees’ meetings being held virtually at the present time or being cancelled?

  • We amended our articles and meet through Microsoft Teams.
  • Everything is business as usual but virtual.
  • We are meeting virtually.
  • On Zoom (and before that we always had Skype).
  • Our audit committee is meeting virtually in a couple of weeks' time.
  • It would be worrying if they are cancelling.
  • Virtually, all board and management meetings are being held via Microsoft Teams.
  • Virtual committees all around and working.
  • We held ours virtually, a bit challenging initially but it was fine.
  • Our audit and risk committee also took place last week on Microsoft Teams.
  • Our governance meetings are all happening virtually.
  • Our audit committee is not meeting as we move to an 'urgent' arrangement that stops all council committees with the political leaders and chief executive delegated emergency powers for decisions and scrutiny.
  • From a governance perspective, the terms of reference of the audit committee may have rules around whether a quorum can be met virtually.
  • Re quorum - we co-opted extra members to the audit committee. They are not members of the board but have voting rights.
  • We had our virtual audit committee last year.
  • The use of such technologies (and Zoom in particular) does bring new risks, agree that audit committees should definitely continue though.
  • As part of our move to business as usual governance, we are looking at implementing a cabinet model that will have scrutiny responsibilities and will likely include our audit committee chair.
  • Virtual audit committee meetings in local authorities not really an option as they also have to be webcast live for public transparency - presents a real challenge.

3. Internal audit plan work

The Plan is continuing although we have been looking at revising some of the scopes in light of the possibility of having to do audits remotely.

The main issue is getting access to systems and data to reduce reliance on the business providing required information.

4. Is anyone considering the impact on the performance of controls - especially any controls that are "manual" in nature?

We have specifically looked at the risks surrounding being virtual - working alongside the risk team to identify any vulnerabilities/areas of weakness.

5. As part of the focus on key risks and controls, to what extent is internal audit focusing on those that relate to IT/Cyber Security?

We did a full review of physical security and IT security risk assessments.

It’s a key part of the risk universe and the risk is changed/changing so absolutely in scope.

IT and cyber - nature of attacks haven't changed, only frequency, so this is one part of the plan that survives almost intact.

We have open internal findings on network and cyber security, so we are exposed. Challenge is that IT is outsourced to a third-party provider.

Fairly high. Well managed centrally by IT and regular company communication

We have a red risk on cyber on our corporate risk register, so we continue to have IT/Cyber as a key focus.

Good idea to resend the IT policy/procedures to all staff.

We have seen an increase in fraud. IT is outsourced. Have had a programme of mandatory IT/Cyber security training for 15 months and awareness of the threat is higher...but not perfect!

I'm concerned about protecting personal data and potential data breaches.

We put key rules as background picture on everyone's desktop including service desk phone numbers.

Continue to keep close to this area, communications being issued, and homeworking briefings were carried out.

Bite size fraud risk cyber risk awareness messages etc. communications via newsletters.

Limited IT/Cyber coverage in response to COVID-19.

IT/Cyber remains a key risk - looking to preserve coverage.

6. As well as reviewing the plan has anyone ramped up collation of business management information and attendance at key governance forums?

There is more we need to do in improving this. We are having more meetings - a daily senior managers' briefing and focused update. Management information needs to be better, more accurate and more timely, but long-established problems here!

I think it’s a key tool for us - depends on the status with management and culture of the organisation. We've made great strides in this space and I think it will help in the long term as we make a definitive move to continuous monitoring.

One key risk for me is that a suite of Covid-19 management information has been prepared, but there are no controls built into the process to confirm accuracy. There is a risk of decisions being made based on inaccurate management information - raised this as a risk in our Strategic Covid-19 risk register.

We have reviewed, we have 'shadow' boards who are formal deputies, if their approval limits need to be adjusted this can be done centrally, we will be consulted where there is potential for segregation of duties issues. We will include this in our continuous monitoring.

7. To what extent is key person dependency being reviewed given the significant risk that those with key skills or key decision authorities may be significantly hampered in the coming weeks?

Our key person dependency considerations have been led by existing business continuity plans which already identified key processes. We’ve been focused first on enabling an additional individual (already pre-trained) functionality for running payroll and similar essential processes. Additionally, we’ve had further people added to each delegated authority level so that payments etc. can still go out. For decision making, there are clear alternates for executives, but also, we are maybe protected by the fact that we have a (maybe normally too) large executive and we also had pre-identified alternates for everyone in the Incident Management Team.

Not sure how - our issues are more at the opposite end of the spectrum eg payroll/invoicing/ key data crunchers are our main exposures that we are trying to ensure are covered - senior levels are ok.

8. Are organisations scenario planning for say 1 month/3 month/6 month/12 month lock down scenarios?

Good idea.

Via heads of audit networks and groups.

9. What would be the internal audit approach when the majority of your business operations are shut down and the majority of personnel are at home and focused on preparing to go back to normal?

Complete what engagement work you can, consider using analytics to best effect, do follow up of recommendations/actions with managers working from home, update internal audit policies and the manual, prepare for/commission an EQA if you've not had one etc... Just ideas!

10. How are you keeping abreast of and responding to regulator guidance relevant to your organisation eg FRC?

The Charity Commission issued and then quickly rescinded high expectations for reporting incidents during COVID. The Charity Commission's revised position is that they will be reasonable and flexible following feedback from charities. However, they are highlighting the need for charities to continue to prioritise those incidents that place individuals at risk, or incidents that have had a significant impact on a charity’s operations and therefore serious harm to the charity’s work (of course many charities are at serious risk of operations not being able to deliver their key services right now due to the huge drop in funding.)

At the Scottish HoIA forum we encouraged participants to think about 'reasonable steps' which is a requirement under SMCR for HoIA's and a good principle for the rest of us, capturing key decisions and rationales will help us if we are asked questions or indeed do our own lessons learned.

The challenge for local authorities in the public sector is the very wide range of regulators scrutinising the services that we deliver. We have the Care Inspectorate; Education; the Housing Regulatory Authority; the Government (eg planning and building standards) and the Cabinet Office to name but a few...… 

Continuous monitoring is having its day and should be a real focus post Covid. What do people the Institute think?

Derek Jamieson - Institute - Happy to pick this topic up at a future forum

11. General feedback from the session

  • Another great session - thank you - especially liked the surveys throughout the video call. The Covid-19 hub is really helpful and informative.
  • Good topics and good opportunity for future meetings. As always whilst we have common concerns the sector differences make it challenging but hopefully sharing works well for us all - take something away for the day job.
  • Excellent session, thank you, very helpful and will most certainly take the good practice away.
  • Thank you all (x 2)

Attendee comments, questions and actions

To prioritise the discussion, participants were asked to complete a quick poll on four questions and based on this the questions ranked and discussed in order of preferences.

Questions for discussion

Poll results

New Normal - What are your key concerns/challenges for when we start to come out of the lock down and return to a ‘new normal’ way of working?

48%

IT/Cyber Risk - As part of the focus on key risks and controls, to what extent is IA focussing on those that relate to IT/Cyber Risk?  

19%

Key person dependency – To what extent is key person dependency being reviewed given the significant risk that those with key skills or key decision authorities may be significantly hampered in the coming weeks?

19%

Regulatory guidance – How are you keeping abreast of and responding to regulator guidance relevant to your organisation e.g. FRC?

14%

1. What are your key concerns/challenges for when we start to come out of the lock down and return to a ‘new normal’ way of working?

Institute’s response

We need to start thinking about the plan for 2020/21. Anything we had in our plan that we took to the audit committee that was approved at the beginning of the year is now up for re-negotiation, re-confirmation.

I think there are new and different risks and processes that we need to ensure are covered and it is highly likely that we will have less time, we won’t have a 12 month timeline in which to deliver our assurance, it could be 9 months or maybe 8 months.

It will be interesting to see how the lock down and how coming out of the lock down  plays out, we need to factor all of those things into our thinking and reflect on the fact that we might be asked to rethink the size of the audit team. Partly because I think that organisations are going to be different, they will have been economically affected, significantly, by the coronavirus.

Audit teams are going to be different sizes with different priorities, and that this may put some challenges on internal audit, and we will have to think about that.

I am in the process of creating a document with some of our colleagues that will explore some of these issues and I expect to have it on our website after the Easter break. I think it is a challenging time and internal audit ‘normal’ will be different as we come out of this and we need to recognise this and we need to remember more than anything that internal audit needs to be relevant to what our organisation is doing; needing from internal audit, and we need to talk constantly to our audit committee and our audit committee chair to agree the way forward.

 

I am conscious of the conversations we’ve had across the group both this week and last week and just about everybody had been looking at the plan and what they can do with that plan.

We talked about changing the plan in a couple of forums, could you tell we where you have got to with the plan?

Our plan was due to be approved in March to kick off with effect from 1st April 2020. It hasn’t even gone to the audit committee for approval as COVID-19 interrupted that, so we have no plans to take the plan to the audit committee for approval until we know the outcomes of COVID-19, and what the impact on next year’s plan will be. At the moment we have rebased the internal audit plan with effect from 1 June 2020 so that we are hoping that we will be able to start working the plan with effect from 1 June 2020, but also recognising that if the recovery takes longer than that, then we are probably going to have to rebase again. I think that the other thing that is happening at the moment, is that our internal audit team are being pulled in a number of different directions, so in the public sector, in particular, the Government have come up with a number of new things. For example, business grants to support businesses that are struggling, and councils and local authorities are being asked to implement processes to support those. Our audit team are now actually designing and implementing some of those processes to support the first line. They’re also being pushed/pulled into 2nd line risk management activities too. Where I’m at, is that I’m thinking that I’ve got an audit plan that I could theoretically start at 1st  June, if we are in an appropriate recovery position, but I’m also having to think about the impact of the additional work that the team is now doing. I then need to think how that is going to impact delivery of that plan so to echo the Institute’s comments it is really uncertain for me as to what the shape of the plan looks like at the moment. I am engaging with our convenor for  the audit committee who is a politician and saying to her I don’t know when I am going to be able to come and present this plan or the shape of what next year will look like. We’ve got quite a good idea of what this shape of the current year will look like. Our current year plan is due to finish on 31st March 2020 and we know we’re only going to be able to deliver 70% of the current 2019/20 plan but the 2020/21 plan, will remain under constant revision until we see the recovery path of the council and also the impact of the extra ask on our internal audit resources.

Question to everyone on audit committees: In the short term are they being cancelled or are they happening virtually?

The reason for my question is that I chair an audit committee for a local authority. I received e-mail the other day from democratic services cancelling the next meeting due to be happening in a couple of weeks’ time. My question back is why we don’t hold it virtually?

I’m also the chair of an audit and risk committee for a housing association. I was asked the same question by the officers and said, ‘no we won’t cancel it we’ll hold it virtually’ and we held it using Zoom and it worked really well. So, don’t anyone be worried about doing it virtually, I think it works well the only difference is like everything virtual, you can’t quite read the room quite as well but nevertheless it works, so it’s great!

My view entirely and I will be going back to them as you would expect.

From discussions there has been some concern about the age group of some of the audit committee members. Some of them themselves might be having problems at the moment or in the near future and the question then becomes, what is a quorum? Do we have enough members to make decisions? So, there’s a question mark for possibly something to think about there. I don’t necessarily think that internal audit should be challenging the board to make sure that they have committee quorums, but certainly something to be aware of.

Going back to the first question, we talked about the planning, we talked about holding audit committees, are there any particular topics about the ‘new normal’ of concern that may be resonating as topics of concern?

A message on the ‘chat’ that has come through is about supply chains and so forth and a topic worth sharing.

 

While we’re thinking about how we wind down and respond, we’re also thinking about how we staff back up. We need our suppliers, we’re very reliant on them and our sub-contractor market. A lot of them live week-to-week or perhaps day-to-day, so it is about how we help them stay around. We have set up a hardship fund where they can apply for funds from us directly and we’ll contra that  from services provided to us when we are stood back up, but we’re conscious that others won’t survive. We conscious that it is a very international supply chain so we’re just starting to look at what the issues will be when we start back up. We’re starting to think about along with our management team, so it’s a mix of our usual audit work around supply chain but that real time assurance of observing and advice around the supply chain piece we’ll be looking at. I would imagine that we’re not alone in that challenge as well.

Views were sought on the audit charter, in relation to the audit charter mentioning meetings being held virtually.

Institute’s response

I know that a number of committees and boards that I have been involved with, from an audit perspective had defined rules. The bigger the corporation generally, the more formal the rules about what constitutes a quorum. I have seen board committee charter/terms of reference where it specifically prohibits dial in or virtually constituted forums. Needing to get a derogation for this in the current environment but its possibly worth checking.

Going back to the question we started with, which is that we also need to bear in mind the regulators which is why I wanted our audit committee in the social housing sector, to go ahead because regulators are being very aware of the scenario we’re facing They are talking about delaying inspections, the Care Quality Commission, the Social Housing regulator and a number of others are delaying them, they’re delaying the submission of information, but what they are saying is that if you have problems you must let your regulator know. So, I think things like your boards and your audit committees need to continue because we need to make sure that if there are things, we need to be telling regulators we are doing so.

I think that is essential. If anybody has any key governance forums that aren’t meeting, then I think that internal audit should absolutely step up and call that out. There’s never been a more important time for the governance forums to be in place and operating, co-opting people in etc. And again, the point that has just been made about the regulators, the strength of that relationship and keeping that well invested, making sure you are transparent, but it really does pay dividends, because they want that transparency and openness. If you are not in a place where you have that strong relationship, invest some time through compliance or through whatever it needs to be, the personal point it’s very important.

2. As part of the focus on key risks and controls, to what extent is IA focussing on those that relate to IT/Cyber risk?   

Institute’s response

I’ve been monitoring this and one of the things that is becoming very apparent is the number of phishing emails that are coming out, the number of attempts at identity theft, issues around working from home and the lack of security.

I’ve heard stories over the last week about people working from home not being able to us their organisations virtual private network (VPN) so they’re doing their organisation’s emails on their own laptops, to fulfil what they genuinely believe is ‘doing the right thing’ in difficult circumstances.

We’re about to upload a piece to our COVID-19 hub around fraud that looks at a number of the cyber and IT security issues. But I think it is a point in time to make sure that perhaps while people have time they are up to speed on all of their appropriate IT security training, make sure they’ve read the policy and perhaps we should be sending it out to all home workers so that they are very clear about what is expected of them.

This is a high-risk time and I always go back to an example of a phishing email that came from supposedly the organisation’s chief executive officer (CEO) to their finance function who said that he needed £30,000 sent immediately. They spotted that it was not from the CEO purely and simply because it said, ‘thank you’ and apparently their CEO never says thank you.

We just need to be doubly sure and I think that internal audit has a real role to play there.

From my perspective, I am a director in a smaller organisation, which hits the key personnel dependency too. We have a situation where the system is supported by two individuals, one is off sick with something else just now and it turns out we now have a problem, because the other person is on furlough now. So now we have an issue with the furlough situation but that’s just life!

I would echo what has just been said, there has been a significant increase in the number of phishing emails both to customers and to staff members. One of the things that I think is a danger from this perspective, is people trying to do the right thing but doing it in the wrong way. And again I would echo some of what the Institute is saying, where systems are struggling people are trying to do things with the right intentions, but are not aware of the gaps that might open up, so the communications from IT and business protection teams are critical in this instance. We are seeing a big step up in that area, we just need to make sure that people keep that in the front of their mind, as well as how we can make sure that we are helping our customers.

Institute’s response

I think it is very interesting from a CEO perspective, I’ve noticed that the Institute team, everyone has really tried hard. The danger is that some people overcompensate and when they overcompensate or they get too pressed with deadlines, that are not deadlines acknowledging the current situation, that’s when they feel pressured and make mistakes. So, this is all about the line of having procedures whereby they phone in, they support, they actually probably have a more flexible approach to management, a more agile approach to management than before.

The key thing for us, is that we had already done a physical security review relatively recently and that was very pertinent, given that central London is a bit of a ghost town right now and also that we’re in a shared building, so who’s coming and going is a particular concern. Those concerns aside and given that a lot of our work can be done remotely, in fact all of it can be done remotely, we have the usual training rounds of quarterly compliance training so that was heavily focused on phishing and IT security risks. I think for me the outturn from  COVID-19 will be that we re-address IT security risk in the audit plan quite urgently after we go back, given that quite often people or risks can remain in the system without being there evidently from day one. Things can turn up six months down the line and looking back over the period we have had we would want to look to see what could have gone wrong, if you like, and what risks there were, and what we can put right or find, so bolstering controls for next time and look at lessons learnt as well.

Going back to a conversation this morning, not relevant to IT and Cyber. But talking about end user computing and spreadsheets.

Every organisation is currently doing financial management on the hoof in some sense at the moment looking at different scenarios. This morning I had a conversation with an organisation who had done its planning and then found a £1billion error in the spreadsheet formula. This is the bog-standard base line internal auditing work that that we do every day, every week, and raise findings on time after time. It keeps on cropping up, I just offer that as a hot off the press, you don’t want, as an organisation, to be building your plan ‘b’ on a completely wrong premise/formula that percolates  through all of your spreadsheets – it is a bad place to be.

 

To move onto the third question, key person dependency. We touched on this in cyber risk. You have a range of key people that have been identified  in the ‘business as usual’ sense, who may be even more critical just now and you can talk about IT controls, you can talk about change controls, you can talk about people with key delegated authorities for decision making so the question was:

3. To what extent is key person dependency being reviewed given the significant risk that those with key skills or key decision authorities may be significantly hampered in the coming weeks or months depending how you look at this?

Institute’s response

We need to think about this differently so, we probably all have an idea of some of the key people in our organisation. We put succession plans in place to protect the organisation, if something happens, and I always use the ‘they get knocked down by the bus’ scenario.

But in this scenario, I think we need to think differently. I think we need to be thinking about the decision makers. So, who in your organisation are the decision makers and recognising that potentially at the moment due to people being sick, family being sick, etc. some of the decision makers won’t be there. Instead you will have people making decisions who have not previously been a decision maker, so it will mean that the wrong decisions will be made, and it will be how quickly can internal audit help the organisation.

The furlough example, a great example, we made a decision, the wrong decision, how quickly now can we fix that decision and make the right decision moving forward.

I don’t know if any of you are browsing the internet at the minute but McKinsey and Company have written a brilliant piece on Leadership in a Crisis and they talk about elevating leaders, recognising the need for people to make decisions with support from the organisation.

But the word that we use as internal auditors all the time, ‘communication’, make sure that people are talking to each other, whether it is us talking to the CEO, the audit committee or senior management – talk! 

I don’t think we’ve had any change at all on decision makers, we have a well governed, and a good governance and management structure, which caters for if an individual is not there - I don’t think that we’ve noticed any changes at all. That’s not to say that the discussions are as easy. Just going back to an earlier discussion, in all of our formal governance meetings they are now by WebEx, a similar facility to Zoom and they are a bit ‘clunkier‘ but I think that everyone recognises the importance and criticality of keeping that governance and management structure working and perhaps it is even more important to do it as people are a bit more distant from the day-to-day processes in the office.

Where we are, we have a lot of business continuity planning and emergency response planning going on at the moment. There are governance structures set up and we haven’t seen anything major in our area. We have good arrangements in place I feel, being in key communications with the chair of the audit committees that I am responsible for, and I think that everything is going as best it can at the moment. But like the others have said, this is probably still early stages and there may be some changes going forward, but we’ve all been responding to the decisions that need to be made, being made by the most appropriate people. There’s decision making powers in place and that might be delegated but I think they are being done well at the moment, so at this point in time I feel quite comfortable with that. But as you say, through all of this communication is essential.

Institute’s response

I think it is interesting looking at the different challenges, in the different sectors and how they are reflected. Large organisation great, delegated authorities, decision trees, lots of succession planning - I feel absolutely certain are in place.

Then in perhaps the public sector world you may have much smaller organisations that don’t have that framework in place and therefore are potentially and I use a colloquialism here, making decisions on the hoof as it were, as they are coming up and facing challenges and this is where, as internal audit, we need to be getting in, we need to be contributing and we need to be helping provide assurance around the decision making.

4. How are you keeping abreast of and responding to regulator guidance relevant to your organisation e.g. Financial Reporting Council (FRC). 

So as the weeks and months roll forward, the regulators no matter which sector you are in, will have a changing view. So, I’ll start, with the FRC as they probably cover most ground. Their  views about  external audit can very easily be read between the lines to find  a huge internal audit implication here, I am very much interested in peoples perspectives of how it is affecting you, what it’s doing for the work you need to do going forward; if you haven’t already got it in scope and also what might be the minimum to comply in terms of audit completion over the course of the next few months.

Institute’s response

I did a bit of homework and had a look round at some of the regulators. One of the things I would say as a head of audit, we should all be looking to see what our regulators are saying.

FRC is talking about how important it is to continue the audits, that they must be of the best and highest quality. So, although some of the timelines are slipping the quality must not slip and I think that is a really strong message for internal audit as well.

The Financial Conduct Authority (FCA) have done a revised business plan that includes a section on COVID-19, ICO have provided guidance, CQC have said that they are suspending visits and inspections as is the regulator for social housing.

The Institute of Directors (IOD) has done some brilliant briefings for SME’s. The message I’m picking up, the commonest theme, is talk to your regulator.

So, if they are not visiting that doesn’t mean we can take our foot off the accelerator. Actually, what we need to make sure is, if we have any concerns, anything that’s not working quite right, so in the charity sector, in the social housing sector, if you’re having to give people rent holidays, manage donations make sure you talk to your regulator, so they know what you are doing. I think that is true across all regulators from what I’ve seen.

The regulators, the financial services regulators are obviously looking very closely at what every firm is doing. We speak to the Prudential regulator every other week and we know that some firms speak to them every hour, so that just gives you an idea of the intensity of the monitoring. Two or three weeks ago we decided to be super prudent and to raise the amount of liquidity that we hold, so we increased the rates for the deposits that we offer on-line, and within one hour we had an email from the Prudential regulator saying, oh so you’ve increased your rates, what happened? We just told them that we are sitting on a very comfortable cushion of liquidity and we want to make sure that it becomes a really fat comfortable cushion and that was fine, but they are absolutely looking at practically everything that everyone is doing. I read in the press that Barclays are receiving 25,000 calls a day, as opposed to 3,000 calls before the crisis. The number of calls we receive hasn’t increased that much, so I don’t know why the big banks are getting a lot more. But as opposed to the big banks, we do not have any legacy systems, we are quite ready to respond to any potential rise.

Institute’s response

It is absolutely vital keeping regulators on board, I’ve met this in the charities sector, I’ve met this with the Skills Funding Agency, I’ve met it when organisations have been in particularly financial distress or crisis and I’ve never had a poor response when I’ve approached a regulator.

They always welcome it, always in my view, you sometimes have to, how would I say, there’s always an issue timing in some areas but early contact always pays dividends, similarly if you have key stakeholders and there’s an issue over your organisation, talk to your stakeholders early.

It’s been quite interesting with the charity sector; the Charity Commission came out very quickly with a statement saying that they expected charities to be extremely vigilant and continue to make serious incident reports - that that was a priority. Quite quickly I think, people responded that charities were under a lot of pressure, they were thinking about a lot of things, and the increasing requirements for serious incident reports might not be helpful and the sector rescinded the advice. So, I guess a good example of where interaction with the regulator can be helpful and they are taking on board feedback which is positive. I think that the current advice since they rescinded the original statement has really been on focusing everyone on, can we still focus on anything that poses a risk to individuals and anything that poses a serious risk to operations, although, again I think for the charity sector it is a truly difficult time. Many charities are having a huge drop in income, the amounts of staff being furloughed at some charities are 80% and many are even struggling to deliver key services, Sue Ryder has even mentioned today about potentially not being able to provide hospices and continue running the hospices that they currently do, which obviously will have a massive impact, so I think the regulator is starting to realise that for some charities, this situation is going to be about surviving more than helping with the COVID-19 response. It is very difficult and I think that like you say what is going to be really important is continued interaction with the Charity Commission so that they get an understanding of what the sector is experiencing and how they can support.

I am going to conclude on the four questions just now and go back to a comment made, at the beginning of the meeting, to get a bit more elaboration.

Throughout the entire emergency process operations, there is a logic to what management is doing. It is very important to make sure that we are able to see the logic so that we can provide real time, or almost real time assurance. It will also be very important to make sure that when things are starting to return to normal, that we have a full record of what management implemented as emergency overrides and emergency controls, to make sure that we have a path to restore operations and it is a great tool to save us from the fact that each organisation, or each person who handles the exception from the control, not doing the thing that they want or contextually is right but that there is a guidelines, there is still order in the madness.

Please give us feedback on these forums, we evolve them on the feedback so the more we get the more you get, I hope.

I have spoken to a lot of people over the last few weeks and I would suggest that if you haven’t already, have a look at the COVID-19 hub, there is more than just a couple of documents there. You may have seen similar documents elsewhere, but you may not have and hopefully is it of value to you and happy to take feedback on the content as well.

Happy to take questions outside of the forum too so please get in contact with Liz Sandwith (liz.sandwith@iia.org.uk) or Derek Jamieson (derek.jamieson@iia.org.uk) or John Wood (john.wood@iia.org.uk).

We are inviting people on a rotational basis so we have three sections of people here, the first group is people who represent bodies, forums, etc. so that might be higher education for example. We also have a second body that are regional chairs, we ask them to cascade out to local membership and get the feedback back in again. The third group is everybody else who are heads of internal audit, not members of committees or forums, so if you wish to come back again please get in touch with us and we will rotate you back in some time in the future.