All change - adapting the audit plan in turbulent times

Everyone knows that 2020 turned everything on its head – including agreed annual internal audit plans.

According to IIA Global, “About half of all respondents cancelled or reduced scope for some audit engagements. At the same time, about 4 in 10 added new engagements in response to the pandemic.”

So, how can internal audit functions learn from 2020 to plan for 2021?

  • What is required, no matter what happens?
  • Where is there wriggle room?
  • And, if plans change, does this mean internal audit’s opinion and assurance are somehow qualified or reduced?

This blog will look at how one internal audit function faced these very questions – while also undergoing a combination! Heidi Dainton, Audit Director at OneSavings Bank, a specialist lending and retail savings group, shares her experiences.


A case study: lessons from OneSavings Bank

Last October, OneSavings Bank combined with Charter Court Financial Services. The focus for the internal audit team, at the start of 2020 was on aligning our audit methodology and practices, adjusting to an organisation that had doubled in size, (operating under two banking licences) and learning to navigate and understand two similar but still different cultures; and then COVID-19 struck!

We have taken a very different approach to our audit plan for 2021. Given how closely we worked with the first and second line to provide real time assurance during COVID-19, we were able to easily identify at least forty audits that have to be completed in 2021. These could be due to emerging risks such as customer vulnerability, levels of forbearance, cybersecurity, operational resilience, etc.; or mandated ie responsible lending, Internal Liquidity Adequacy Assessment Process (ILAAP), etc.; or due to our internal integration change agenda.

We went to the audit committee and proposed a different approach to the intensive bottom-up planning exercise. Instead, we have been more agile and pragmatic, adopting a top-down approach to ensure our audit plan focuses on key Group risks and mandatory audits. To achieve this, we started with a list of audits we knew we needed to deliver. We then asked ourselves how we could get the most out of each audit. For example, we can use mandated audit to provide assurance over the emerging risks such as responsible lending. Given the increase in customers experiencing financial difficulty, many are using payment holidays. So, we can check that the affordability process has factored payment holidays in and resulted in a fair outcome for the customer. It just feels like the right thing to be doing anyway.

We have also reviewed our proposed scopes to ensure we add value and focus on the highest risks. We have removed end-to-end reviews as these take significant weeks and cover everything. Also, more than ever, we have understood what second line and external assurance is available, so that where practical we are not duplicating effort. We have shared the plan with our senior management function holders and asked for their input. We also scanned our audit universe to challenge ourselves on how comfortable we are with the areas we continue not to cover, and reviewed the plan against the bank’s risk register. Reviewing industry hot topics and tapping into our network helped us understand what peers are doing and see what we should include.

Our reporting to the audit committee is very transparent. We are clear on what we have and have not done in compiling the draft 2021 plan. More importantly, we are explicit on what areas of the universe we will and will not cover. We have included a slide that shows important areas not covered and why – eg management are fixing the area, or other assurance functions are adequately covering the risks. We also have a slide which shows those areas that are not covered for three years or more, which we will not cover in 2021, and why. Although we risk assess our plan every quarter, and adapted it where necessary, 2020 has taught us how much the plan sometimes needs to flex in response to exceptional circumstances. Going into 2021, we accept that if management goes into crisis mode again, our most important role is to keep that holistic view of the control environment. We will continue to challenge management, and scan the horizon for emerging risks, all of which means we will flex the plan as needed.

This approach works for us, as we are lucky that OSB executives value the independent assurance and insight we provide. They challenge us constructively about our budget, but we never have to justify our role. I am not sure this approach would work if you were operating in a more constrained environment where you were being asked to downsize your team.

We realise that this approach hasn’t yet stood the test of time. We’re also slightly apprehensive about how we would feel if something popped and we had to justify not reviewing that area, or how an external quality reviewer would see it. However, we just have to be practical and accept it was the right thing to do this year, and it will continue to change.

Lastly, thoughts on this year’s audit opinion. It seems like there is more to say than ever about the risk culture environment, management’s response to COVID-19, changes in the control environment, etc. We acknowledge we’ve had to perform our audits remotely, and at first, that lack of face-to-face contact concerned us. But again, we have adapted, increased the use of data analytics and found new ways to become virtually connected.


Closing thoughts

This case study illustrates perfectly how a risk-based approach to internal audit can guide you in times of crisis. It also shows that radical change to the audit plan doesn’t reduce or qualify the resulting opinion. Working differently, in many cases better, means still being able to provide the assurance and insight the organisation needs.

If this blog has inspired you to approach your 2021 plan with a fresh perspective, here are some helpful questions from Heidi: 

  • How much time should you spend on the 2021 planning activities?
  • Is this the best use of time?
  • Are your proposed scopes as tight as they can be?
  • Are you making the most of other assurance functions’ coverage?
  • Is your report to the Audit Committee transparent about what you are not covering and why?

Look out for a webinar on this topic in 2021.


Further reading

https://www.iia.org.uk/resources/managing-internal-audit/future-proofing-internal-audit/
https://www.iia.org.uk/media/1691332/how-organisations-globally-are-responding-to-covid-19.pdf (Part 1)
ttps://www.iia.org.uk/media/1691333/covid-19-the-initial-impact-on-internal-audit-worldwide.pdf (Part 2)
https://www.iia.org.uk/covid-19-hub/covid-19-guidance/internal-audit-after-covid-19/
https://www.iia.org.uk/covid-19-hub/covid-19-guidance/chief-audit-executive-and-the-audit-committee-no-surprises-in-surprising-circumstances/
https://www.iia.org.uk/covid-19-hub/covid-19-guidance/reporting-during-and-after-covid-different-and-maybe-better/

Content reviewed: 16 December 2020