In the corner of a meeting room in the belly of Her Majesty’s Treasury stands a banner. Beneath the Royal Coat of Arms it reads: “A flexible and responsive internal audit service which has a reputation among top management as making a real difference, providing excellent value for money and that is regarded as a great place to work.” This is not only the credo for the recently inaugurated Government Internal Audit Agency (GIAA), it sums up its chief executive’s vision and aspirations for internal audit throughout the public sector.
Less than a year after establishing the agency, Jon Whitfield CMIIA is satisfied with the progress that has been made. However, he is by no means resting on his laurels. He knows as well as anyone what it takes to build a single service by bringing together what were previously separate audit teams.
Indeed, it was the work done under his leadership in setting up and running the Cross Departmental Internal Audit Service (XDIAS), the GIAA’s predecessor, that was acknowledged when Whitfield was honoured with a CBE two years ago. Even with the experience of having established XDIAS, the last year has been what he describes as a “monumental undertaking”.
“It actually marked the beginning rather than the end of something. We’re creating the agency as a means to an end,” says Whitfield. “We acknowledge that we’re still in the process of building the agency. We’re only 170 people and that will rise to close to 500 by the end of the next financial year. The growth of the agency will provide the opportunity for us to learn from and adopt the best audit practices from across central government. This is effectively the start of a lot of hard work and the first year of operation was always going to be, by definition, the first time that we tried a lot of things in a new environment.”
One of the characteristics of this new environment is a sense of expectation. Or, more specifically, a host of different expectations from the agency’s client roster, which includes the Cabinet Office, HM Treasury, the Department for Education, the Department for Business, Innovation & Skills, and the Department for Transport to name but a few. Some of the agency’s customers understand that it will take time to see the benefits of the service while others, who are now being invoiced for audits for the first time, expect to see immediate results.
Another characteristic of this new environment is a greater commercial emphasis. “Everything we do has a cost. That’s always been the case of course, but now, consistent with trying to get more from everything we do, there’s got to be a recognition that every choice we make about where we spend our time affects the cost,” says Whitfield. “We gave all of our people commercial training before we started, but it is now that we’re beginning to see the behaviours required to operate in a more disciplined environment and the recognition that the choices being made are fundamentally going to hit our customers’ invoices.”
The GIAA works with government departments’ accounting officers and audit committees, giving its professional input into their risk-based audit programmes. It is in this planning stage that the agency recognises a real opportunity to eke out cost efficiencies, the pursuit of which has become de rigueur in austerity Britain. This will mean identifying key risks, be it cyber security or commercial risk, that apply to all departments under the agency’s ambit. By deploying resources on a particular risk area across multiple organisations in central government, both the agency and its customers can benefit from an economy of scale. There are additional advantages to be gained from this “joined up” strategy.
“It also gives us the opportunity of spreading best practice, learning lessons from one part of government and sharing in the next. So there are all kinds of opportunities there for us to be more proactive in taking the subject matter for audits to the clients based on work across government, but also in conducting the work in a way that gives a better product,” says Whitfield. “There’s greater scrutiny of government spending from the media and the public which can only be right. Every pound spent equates in some way to a public service, so if it’s being spent on internal audit, the onus is on us to demonstrate the impact and value of what we do. That’s something that as a profession we’re not good at.”
This is a puzzle that internal audit has yet to solve, says Whitfield. In part, this is due to a simple lack of practice. Internal auditors are experienced at assuring against risk, but not necessarily communicating their own performance and how their work benefits the organisation. It’s also difficult to prove a negative: if internal audit is doing its job properly then risks have been mitigated and so the value of that assurance is not immediately obvious. It is only when a failing occurs that internal audit comes under the spotlight. “That’s a challenge and we have to rise to it.”
Whitfield says there is no definitive set of KPIs that show whether the agency is doing a good job across the government departments it is responsible for auditing. Indeed, departments may set different priorities for their internal audit service. Measuring performance therefore requires looking at all of the available indicators with a degree of subjectivity. “Such varied demands are not at odds with standardisation and our ambition to have greater consistency in what we do, but we must take care not to stifle innovation or restrict our responsiveness to customer needs. There will always be some variation in how the service is delivered by virtue of the individuals delivering it and the way heads of internal audit interact with their customers.” However, he adds that having common, centralised methods for assessing the quality of the agency and its staff’s work will help to hone a more effective service.
Government oversights and missteps are inevitable but when they reach the media they become big news. While it’s vital to learn from mistakes in their immediate aftermath and introduce measures to prevent them from being repeated, Whitfield says it is equally important that past lessons are remembered in the longer term. There is a tendency to address risks in the wake of an incident and move on when the next big story blows up. Therefore, maintaining awareness and keeping a given risk in the organisation’s psyche can be critical to mitigating it.
“Internal audit’s role is to help prevent risks from manifesting. One way that this can potentially be done is to learn lessons more effectively across government. For instance, if we see something that constitutes a near miss in one part of government rather than learn lessons from that only locally, let’s understand what nearly happened and why, and then spread the word to the rest of government. The GIAA is perfectly placed to help do this.” A major challenge for the agency, says Whitfield, is to have the foresight to be preventative. To be forward-looking and spread the word about potential pitfalls.
For the 12 months ahead, the GIAA has ambitious goals to leverage its position across government and grow further by taking on responsibility for services to four more departments, expanding its headcount to more than 500. With its first year in operation drawing to a close, however, the agency has laid the foundations for a cross-governmental audit service that will “make a real difference”. And in doing so is already living up to that credo.
Towards the end of last year the Government Internal Audit Agency mandated the Chartered IIA to conduct an External Quality Assessment. Jon Whitfield says the appraisal process shed light on some of the agency’s early challenges and will help it to hone its service delivery.
“The lack of consistency in the way things are done across the agency did not surprise me and the EQA has been extremely useful in identifying the specifics in terms of that inconsistency and the specifics that matter most to the quality of service. It’s been very useful in helping us to prioritise the things we need to do so that we can more quickly realise the agency’s potential.”
He also believes the learning process was two-way. The GIAA already delivers audits for more than 60 separate central government bodies and is only going to grow. Repeating assessments for each of its clients is not feasible. This is a challenge that EQA providers themselves will have to rise to.
This article was first published in February 2016